--- /srv/rebuilderd/tmp/rebuilderd4SAdlF/inputs/ssg-applications_0.1.76-1_all.deb
+++ /srv/rebuilderd/tmp/rebuilderd4SAdlF/out/ssg-applications_0.1.76-1_all.deb
├── file list
│ @@ -1,3 +1,3 @@
│  -rw-r--r--   0        0        0        4 2025-03-01 08:08:00.000000 debian-binary
│ --rw-r--r--   0        0        0     1724 2025-03-01 08:08:00.000000 control.tar.xz
│ --rw-r--r--   0        0        0   151816 2025-03-01 08:08:00.000000 data.tar.xz
│ +-rw-r--r--   0        0        0     1728 2025-03-01 08:08:00.000000 control.tar.xz
│ +-rw-r--r--   0        0        0   151796 2025-03-01 08:08:00.000000 data.tar.xz
├── control.tar.xz
│ ├── control.tar
│ │ ├── ./md5sums
│ │ │ ├── ./md5sums
│ │ │ │┄ Files differ
├── data.tar.xz
│ ├── data.tar
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -2554,433 +2554,433 @@
│ │ │ │        <ocil:questionnaires>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Disable Data Synchronization to Google</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Metrics Reporting</ocil:title>
│ │ │ │ +          <ocil:actions>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +          </ocil:actions>
│ │ │ │ +        </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-chromium_disable_3d_graphics_api_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Disable the 3D Graphics APIs</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Saved Passwords</ocil:title>
│ │ │ │ +          <ocil:actions>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +          </ocil:actions>
│ │ │ │ +        </ocil:questionnaire>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_policy_file_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure the Chromium Policy Configuration File Exists</ocil:title>
│ │ │ │ +          <ocil:actions>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_policy_file_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +          </ocil:actions>
│ │ │ │ +        </ocil:questionnaire>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_autocomplete_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable the AutoFill Feature</ocil:title>
│ │ │ │ +          <ocil:actions>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_autocomplete_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +          </ocil:actions>
│ │ │ │ +        </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Disable Use of Cleartext Passwords</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Block Plugins by Default</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_enable_browser_history_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Saving the Browser History</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_enable_browser_history_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable 3rd Party Cookies</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_enable_encrypted_searching_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Encrypted Searching</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Prevent Desktop Notifications</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable 3rd Party Cookies</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_firewall_traversal_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Chromium's Ability to Traverse Firewalls</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_enable_approved_plugins_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Only Approved Plugins</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_enable_approved_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Popups</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_trusted_home_page_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Set the Default Home Page</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_trusted_home_page_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-chromium_default_search_provider_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Enable the Default Search Provider</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-chromium_default_search_provider_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_outdated_plugins_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Outdated Plugins</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Prevent Desktop Notifications</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_extension_whitelist_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Only Approved Extensions</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Popups</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_extension_whitelist_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_enable_approved_plugins_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Only Approved Plugins</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Cloud Print Sharing</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_enable_approved_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_automatic_installation_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Automatic Search And Installation of Plugins</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Block Plugins by Default</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_automatic_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Metrics Reporting</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_extension_whitelist_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Only Approved Extensions</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_extension_whitelist_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_policy_file_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure the Chromium Policy Configuration File Exists</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_background_processing_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Background Processing</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_policy_file_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_background_processing_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_check_cert_revocation_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Online OCSP/CRL Certificate Checks</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_firewall_traversal_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Chromium's Ability to Traverse Firewalls</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_check_cert_revocation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Incognito Mode</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable the Safe Browsing Feature</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-chromium_disallow_location_tracking_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Disable Location Tracking</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-chromium_disallow_location_tracking_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_enable_encrypted_searching_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Encrypted Searching</ocil:title>
│ │ │ │ -          <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -          </ocil:actions>
│ │ │ │ -        </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_password_manager_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Chromium Password Manager</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_outdated_plugins_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Outdated Plugins</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_password_manager_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_session_cookies_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Session Cookies</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_http_authentication_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Set Chromium's HTTP Authentication Scheme</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_session_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_http_authentication_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_trusted_home_page_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Set the Default Home Page</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_search_suggestions_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Search Suggestion</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_trusted_home_page_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_search_suggestions_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-chromium_disable_plugin_blacklist_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Disable All Plugins by Default</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Cloud Print Sharing</ocil:title>
│ │ │ │ -          <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -          </ocil:actions>
│ │ │ │ -        </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Insecure And Obsolete Protocol Schemas</ocil:title>
│ │ │ │ -          <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -          </ocil:actions>
│ │ │ │ -        </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Require Outdated Plugins to be Authorized</ocil:title>
│ │ │ │ -          <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -          </ocil:actions>
│ │ │ │ -        </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-chromium_default_search_provider_name_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Set the Default Search Provider's URL</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-chromium_default_search_provider_name_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_whitelist_plugin_urls_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Plugins for Only Approved URLs</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_password_manager_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Chromium Password Manager</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_password_manager_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Saved Passwords</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_automatic_installation_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Automatic Search And Installation of Plugins</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_automatic_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_search_suggestions_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Search Suggestion</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable All Extensions by Default</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_search_suggestions_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_background_processing_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Background Processing</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Insecure And Obsolete Protocol Schemas</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_background_processing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_autocomplete_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable the AutoFill Feature</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_check_cert_revocation_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Online OCSP/CRL Certificate Checks</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_autocomplete_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_check_cert_revocation_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_http_authentication_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Set Chromium's HTTP Authentication Scheme</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Require Outdated Plugins to be Authorized</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_http_authentication_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable All Extensions by Default</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Network Prediction</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable the Safe Browsing Feature</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_session_cookies_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Session Cookies</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_session_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_enable_browser_history_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Saving the Browser History</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Incognito Mode</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_enable_browser_history_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Network Prediction</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-chromium_whitelist_plugin_urls_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Plugins for Only Approved URLs</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │        </ocil:questionnaires>
│ │ │ │        <ocil:test_actions>
│ │ │ │          <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_google_sync_action:testaction:1" question_ref="ocil:ssg-chromium_disable_google_sync_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1" question_ref="ocil:ssg-chromium_disable_3d_graphics_api_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1" question_ref="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1" question_ref="ocil:ssg-chromium_disable_3d_graphics_api_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_block_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_saved_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_thirdparty_cookies_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_policy_file_action:testaction:1" question_ref="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_block_desktop_notifications_action:testaction:1" question_ref="ocil:ssg-chromium_block_desktop_notifications_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_autocomplete_action:testaction:1" question_ref="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1" question_ref="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_popups_action:testaction:1" question_ref="ocil:ssg-chromium_disable_popups_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_browser_history_action:testaction:1" question_ref="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_search_provider_action:testaction:1" question_ref="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1" question_ref="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_thirdparty_cookies_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_extension_whitelist_action:testaction:1" question_ref="ocil:ssg-chromium_extension_whitelist_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_approved_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_approved_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_trusted_home_page_action:testaction:1" question_ref="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_automatic_installation_action:testaction:1" question_ref="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_search_provider_action:testaction:1" question_ref="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1" question_ref="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_block_desktop_notifications_action:testaction:1" question_ref="ocil:ssg-chromium_block_desktop_notifications_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_policy_file_action:testaction:1" question_ref="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_popups_action:testaction:1" question_ref="ocil:ssg-chromium_disable_popups_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_check_cert_revocation_action:testaction:1" question_ref="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_incognito_mode_action:testaction:1" question_ref="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_block_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disallow_location_tracking_action:testaction:1" question_ref="ocil:ssg-chromium_disallow_location_tracking_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_extension_whitelist_action:testaction:1" question_ref="ocil:ssg-chromium_extension_whitelist_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1" question_ref="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_background_processing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_password_manager_action:testaction:1" question_ref="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1" question_ref="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_safe_browsing_action:testaction:1" question_ref="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_trusted_home_page_action:testaction:1" question_ref="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disallow_location_tracking_action:testaction:1" question_ref="ocil:ssg-chromium_disallow_location_tracking_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1" question_ref="ocil:ssg-chromium_disable_plugin_blacklist_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_http_authentication_action:testaction:1" question_ref="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1" question_ref="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_search_suggestions_action:testaction:1" question_ref="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1" question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1" question_ref="ocil:ssg-chromium_disable_plugin_blacklist_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ @@ -2988,87 +2988,87 @@
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1" question_ref="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_password_manager_action:testaction:1" question_ref="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_saved_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_automatic_installation_action:testaction:1" question_ref="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_search_suggestions_action:testaction:1" question_ref="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1" question_ref="ocil:ssg-chromium_blacklist_extension_installation_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_background_processing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1" question_ref="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_autocomplete_action:testaction:1" question_ref="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_check_cert_revocation_action:testaction:1" question_ref="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_http_authentication_action:testaction:1" question_ref="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1" question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1" question_ref="ocil:ssg-chromium_blacklist_extension_installation_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_network_prediction_action:testaction:1" question_ref="ocil:ssg-chromium_disable_network_prediction_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_safe_browsing_action:testaction:1" question_ref="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_browser_history_action:testaction:1" question_ref="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_incognito_mode_action:testaction:1" question_ref="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_network_prediction_action:testaction:1" question_ref="ocil:ssg-chromium_disable_network_prediction_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1" question_ref="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ @@ -3077,271 +3077,271 @@
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disable_google_sync_question:question:1">
│ │ │ │            <ocil:question_text>To verify that data synchronization is disabled, run the following command:
│ │ │ │  $ grep SyncDisabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "SyncDisabled": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that metrics reporting is disabled, run the following command:
│ │ │ │ +$ grep MetricsReportingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"MetricsReportingEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disable_3d_graphics_api_question:question:1">
│ │ │ │            <ocil:question_text>To verify that 3D graphics are disabled, run the following command:
│ │ │ │  $ grep Disable3DAPIs /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "Disable3DAPIs": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that importing passwords is disabled, run the following command:
│ │ │ │ +$ grep ImportSavedPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"ImportSavedPasswords": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the Chromium policy file exists, run the following command:
│ │ │ │ +$ ls /etc/chromium/policies/managed
│ │ │ │ +The output should show file(s) ending in .json extension.
│ │ │ │ +For example:
│ │ │ │ +chrome-stig-policy.json
│ │ │ │ +      Is it the case that it does not exist or is not configured correctly?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the AutoFill feature is disabled, run the following command:
│ │ │ │ +$ grep AutoFillEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"AutoFillEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1">
│ │ │ │            <ocil:question_text>To verify that the use of cleartext passwords is disabled, run the following command:
│ │ │ │  $ grep PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "PasswordManagerAllowShowPasswords": false,
│ │ │ │        Is it the case that use of cleartext passwords are not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that plugins cannot run automatically, run the following command:
│ │ │ │ -$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that saving the browser history is enabled, run the following command:
│ │ │ │ +$ grep SavingBrowserHistoryDisabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"DefaultPluginsSetting": 3,
│ │ │ │ -      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │ +"SavingBrowserHistoryDisabled": false,
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the URL of the search engine is set, run the following command:
│ │ │ │ +$ grep DefaultSearchProviderSearchURL /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"DefaultSearchProviderSearchURL": "",
│ │ │ │ +      Is it the case that it is not set?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disable_thirdparty_cookies_question:question:1">
│ │ │ │            <ocil:question_text>To verify that third party cookies are disabled, run the following command:
│ │ │ │  $ grep BlockThirdPartyCookies /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "BlockThirdPartyCookies": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that approved plugins are set, run the following command:
│ │ │ │ +$ grep EnabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"EnabledPlugins": ["approved_plugin1", "approved_plugin2"],
│ │ │ │ +      Is it the case that no plugins exist or it is not set to none?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the defaut home page is set, run the following command:
│ │ │ │ +$ grep HomepageLocation /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"HomepageLocation": "",
│ │ │ │ +      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that users cannot change the default search provider, run the following command:
│ │ │ │ +$ grep DefaultSearchProviderEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"DefaultSearchProviderEnabled": true,
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_block_desktop_notifications_question:question:1">
│ │ │ │            <ocil:question_text>To verify that desktop notification is
│ │ │ │  disabled, run the following command:
│ │ │ │  $ grep DefaultNotificationsSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultNotificationsSetting": 2,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that Chromium's abililty to traverse the system firewall is 
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disable_popups_question:question:1">
│ │ │ │            <ocil:question_text>To verify that pop-ups are disabled, run the following command:
│ │ │ │  $ grep DefaultPopupsSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultPopupsSetting": 2,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that users cannot change the default search provider, run the following command:
│ │ │ │ -$ grep DefaultSearchProviderEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the Cloud Print Sharing feature is disabled, run the following command:
│ │ │ │ +$ grep CloudPrintProxyEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"DefaultSearchProviderEnabled": true,
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +"CloudPrintProxyEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that outdated plugins are disabled, run the following command:
│ │ │ │ -$ grep AllowOutdatedPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that plugins cannot run automatically, run the following command:
│ │ │ │ +$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"AllowOutdatedPlugins": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +"DefaultPluginsSetting": 3,
│ │ │ │ +      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_extension_whitelist_question:question:1">
│ │ │ │            <ocil:question_text>To verify that approved extensions are whitelisted, run the following command:
│ │ │ │  $ grep ExtensionInstallWhitelist /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "ExtensionInstallWhitelist": [""],
│ │ │ │        Is it the case that approved extensions are not set?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that approved plugins are set, run the following command:
│ │ │ │ -$ grep EnabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"EnabledPlugins": ["approved_plugin1", "approved_plugin2"],
│ │ │ │ -      Is it the case that no plugins exist or it is not set to none?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that plugins cannot be automatically installed, run the following command:
│ │ │ │ -$ grep DisablePluginFinder /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that background processing is disabled, run the following command:
│ │ │ │ +$ grep BackgroundModeEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"DisablePluginFinder": true,
│ │ │ │ +"BackgroundModeEnabled": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that metrics reporting is disabled, run the following command:
│ │ │ │ -$ grep MetricsReportingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that Chromium's abililty to traverse the system firewall is 
│ │ │ │ +disabled, run the following command:
│ │ │ │ +$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"MetricsReportingEnabled": false,
│ │ │ │ +"RemoteAccessHostFirewallTraversal": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the Chromium policy file exists, run the following command:
│ │ │ │ -$ ls /etc/chromium/policies/managed
│ │ │ │ -The output should show file(s) ending in .json extension.
│ │ │ │ -For example:
│ │ │ │ -chrome-stig-policy.json
│ │ │ │ -      Is it the case that it does not exist or is not configured correctly?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that online OCSP/CRL checks are enabled, run the following command:
│ │ │ │ -$ grep EnableOnlineRevocationChecks /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the safe browsing feature is enabled, run the following command:
│ │ │ │ +$ grep SafeBrowsingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"EnableOnlineRevocationChecks": true,
│ │ │ │ +"SafeBrowsingEnabled": true,
│ │ │ │        Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that incognito mode is disabled, run the following command:
│ │ │ │ -$ grep IncognitoModeAvailability /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"IncognitoModeAvailability": 1,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disallow_location_tracking_question:question:1">
│ │ │ │            <ocil:question_text>To verify that location tracking is disabled, run the following command:
│ │ │ │  $ grep DefaultGeolocationSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultGeolocationSetting": 2,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the URL of the search engine is set, run the following command:
│ │ │ │ -$ grep DefaultSearchProviderSearchURL /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"DefaultSearchProviderSearchURL": "",
│ │ │ │ -      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the use of Password Manager is disabled, run the following command:
│ │ │ │ -$ grep PasswordManagerEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that outdated plugins are disabled, run the following command:
│ │ │ │ +$ grep AllowOutdatedPlugins /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"PasswordManagerEnabled": false,
│ │ │ │ +"AllowOutdatedPlugins": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that sessions cookies for approved sites only are enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ grep CookiesSessionOnlyForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the HTTP Authentication Scheme is set, run the following command:
│ │ │ │ +$ grep AuthSchemes /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"CookiesSessionOnlyForUrls": ["none"],
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +"AuthSchemes": "",
│ │ │ │ +      Is it the case that it is not set?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the defaut home page is set, run the following command:
│ │ │ │ -$ grep HomepageLocation /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that search suggestion is disabled, run the following command:
│ │ │ │ +$ grep SearchSuggestEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"HomepageLocation": "",
│ │ │ │ -      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │ +"SearchSuggestEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disable_plugin_blacklist_question:question:1">
│ │ │ │            <ocil:question_text>To verify that all plugins are blacklisted, run the following command:
│ │ │ │  $ grep DisabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DisabledPlugins": ["*"],
│ │ │ │        Is it the case that they are not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the Cloud Print Sharing feature is disabled, run the following command:
│ │ │ │ -$ grep CloudPrintProxyEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"CloudPrintProxyEnabled": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that data synchronization is disabled, run the following command:
│ │ │ │ -$ grep URLBlacklist /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"URLBlacklist": [""],
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that plugins require authorization to run, run the following command:
│ │ │ │ -$ grep AlwaysAuthorizePlugins /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"AlwaysAuthorizePlugins": false,
│ │ │ │ -      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_default_search_provider_name_question:question:1">
│ │ │ │            <ocil:question_text>To verify that a default search provider is set, run the following command:
│ │ │ │  $ grep DefaultSearchProviderName /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultSearchProviderName": "",
│ │ │ │        Is it the case that a default search provider is not set?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that plugins are allowed for only approved URLs, 
│ │ │ │ -run the following command:
│ │ │ │ -$ grep PluginsAllowedForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"PluginsAllowedForUrls": ["[*.]mil", "[*.]example.com", "www.example.com"],
│ │ │ │ -      Is it the case that no urls exist or it is not set to none?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that importing passwords is disabled, run the following command:
│ │ │ │ -$ grep ImportSavedPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"ImportSavedPasswords": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that search suggestion is disabled, run the following command:
│ │ │ │ -$ grep SearchSuggestEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"SearchSuggestEnabled": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that background processing is disabled, run the following command:
│ │ │ │ -$ grep BackgroundModeEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the use of Password Manager is disabled, run the following command:
│ │ │ │ +$ grep PasswordManagerEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"BackgroundModeEnabled": false,
│ │ │ │ +"PasswordManagerEnabled": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the AutoFill feature is disabled, run the following command:
│ │ │ │ -$ grep AutoFillEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that plugins cannot be automatically installed, run the following command:
│ │ │ │ +$ grep DisablePluginFinder /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"AutoFillEnabled": false,
│ │ │ │ +"DisablePluginFinder": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the HTTP Authentication Scheme is set, run the following command:
│ │ │ │ -$ grep AuthSchemes /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"AuthSchemes": "",
│ │ │ │ -      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_blacklist_extension_installation_question:question:1">
│ │ │ │            <ocil:question_text>To verify that all extensions are blacklisted from installing, run the following command:
│ │ │ │  $ grep ExtensionInstallBlacklist /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "ExtensionInstallBlacklist": ["*"],
│ │ │ │        Is it the case that extensions are not blacklisted?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the safe browsing feature is enabled, run the following command:
│ │ │ │ -$ grep SafeBrowsingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that data synchronization is disabled, run the following command:
│ │ │ │ +$ grep URLBlacklist /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"SafeBrowsingEnabled": true,
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +"URLBlacklist": [""],
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that saving the browser history is enabled, run the following command:
│ │ │ │ -$ grep SavingBrowserHistoryDisabled /etc/chromium/policies/managed/*.json
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that online OCSP/CRL checks are enabled, run the following command:
│ │ │ │ +$ grep EnableOnlineRevocationChecks /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"SavingBrowserHistoryDisabled": false,
│ │ │ │ +"EnableOnlineRevocationChecks": true,
│ │ │ │        Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that plugins require authorization to run, run the following command:
│ │ │ │ +$ grep AlwaysAuthorizePlugins /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"AlwaysAuthorizePlugins": false,
│ │ │ │ +      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-chromium_disable_network_prediction_question:question:1">
│ │ │ │            <ocil:question_text>To verify that network prediction is disabled, run the following command:
│ │ │ │  $ grep DnsPrefetchingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DnsPrefetchingEnabled": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that sessions cookies for approved sites only are enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ grep CookiesSessionOnlyForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"CookiesSessionOnlyForUrls": ["none"],
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that incognito mode is disabled, run the following command:
│ │ │ │ +$ grep IncognitoModeAvailability /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"IncognitoModeAvailability": 1,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that plugins are allowed for only approved URLs, 
│ │ │ │ +run the following command:
│ │ │ │ +$ grep PluginsAllowedForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"PluginsAllowedForUrls": ["[*.]mil", "[*.]example.com", "www.example.com"],
│ │ │ │ +      Is it the case that no urls exist or it is not set to none?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │        </ocil:questions>
│ │ │ │      </ocil:ocil>
│ │ │ │    </ds:component>
│ │ │ │    <ds:component id="scap_org.open-scap_comp_ssg-chromium-cpe-oval.xml" timestamp="2025-03-01T08:08:00">
│ │ │ │      <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
│ │ │ │        <oval-def:generator>
│ │ │ │          <oval:product_name>build_cpe.py from SCAP Security Guide</oval:product_name>
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -9,433 +9,433 @@
│ │ │ │    <ocil:questionnaires>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Disable Data Synchronization to Google</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Metrics Reporting</ocil:title>
│ │ │ │ +      <ocil:actions>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +      </ocil:actions>
│ │ │ │ +    </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-chromium_disable_3d_graphics_api_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Disable the 3D Graphics APIs</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Saved Passwords</ocil:title>
│ │ │ │ +      <ocil:actions>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +      </ocil:actions>
│ │ │ │ +    </ocil:questionnaire>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_policy_file_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure the Chromium Policy Configuration File Exists</ocil:title>
│ │ │ │ +      <ocil:actions>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_policy_file_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +      </ocil:actions>
│ │ │ │ +    </ocil:questionnaire>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_autocomplete_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable the AutoFill Feature</ocil:title>
│ │ │ │ +      <ocil:actions>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_autocomplete_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +      </ocil:actions>
│ │ │ │ +    </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Disable Use of Cleartext Passwords</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Block Plugins by Default</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_enable_browser_history_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Saving the Browser History</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_enable_browser_history_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable 3rd Party Cookies</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_enable_encrypted_searching_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Encrypted Searching</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Prevent Desktop Notifications</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable 3rd Party Cookies</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_firewall_traversal_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Chromium's Ability to Traverse Firewalls</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_enable_approved_plugins_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Only Approved Plugins</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_enable_approved_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Popups</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_trusted_home_page_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Set the Default Home Page</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_trusted_home_page_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-chromium_default_search_provider_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Enable the Default Search Provider</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-chromium_default_search_provider_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_outdated_plugins_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Outdated Plugins</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Prevent Desktop Notifications</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_extension_whitelist_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Only Approved Extensions</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Popups</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_extension_whitelist_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_enable_approved_plugins_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Only Approved Plugins</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Cloud Print Sharing</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_enable_approved_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_automatic_installation_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Automatic Search And Installation of Plugins</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Block Plugins by Default</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_automatic_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Metrics Reporting</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_extension_whitelist_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Only Approved Extensions</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_extension_whitelist_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_policy_file_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure the Chromium Policy Configuration File Exists</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_background_processing_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Background Processing</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_policy_file_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_background_processing_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_check_cert_revocation_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Online OCSP/CRL Certificate Checks</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_firewall_traversal_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Chromium's Ability to Traverse Firewalls</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_check_cert_revocation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Incognito Mode</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable the Safe Browsing Feature</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-chromium_disallow_location_tracking_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Disable Location Tracking</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-chromium_disallow_location_tracking_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_enable_encrypted_searching_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Encrypted Searching</ocil:title>
│ │ │ │ -      <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -      </ocil:actions>
│ │ │ │ -    </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_password_manager_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Chromium Password Manager</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_outdated_plugins_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Outdated Plugins</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_password_manager_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_session_cookies_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Session Cookies</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_http_authentication_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Set Chromium's HTTP Authentication Scheme</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_session_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_http_authentication_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_trusted_home_page_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Set the Default Home Page</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_search_suggestions_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Search Suggestion</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_trusted_home_page_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_search_suggestions_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-chromium_disable_plugin_blacklist_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Disable All Plugins by Default</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Cloud Print Sharing</ocil:title>
│ │ │ │ -      <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -      </ocil:actions>
│ │ │ │ -    </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Insecure And Obsolete Protocol Schemas</ocil:title>
│ │ │ │ -      <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -      </ocil:actions>
│ │ │ │ -    </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Require Outdated Plugins to be Authorized</ocil:title>
│ │ │ │ -      <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -      </ocil:actions>
│ │ │ │ -    </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-chromium_default_search_provider_name_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Set the Default Search Provider's URL</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-chromium_default_search_provider_name_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_whitelist_plugin_urls_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Plugins for Only Approved URLs</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_password_manager_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Chromium Password Manager</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_password_manager_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Saved Passwords</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_automatic_installation_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Automatic Search And Installation of Plugins</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_automatic_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_search_suggestions_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Search Suggestion</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable All Extensions by Default</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_search_suggestions_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_background_processing_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Background Processing</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Insecure And Obsolete Protocol Schemas</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_background_processing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_autocomplete_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable the AutoFill Feature</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_check_cert_revocation_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Online OCSP/CRL Certificate Checks</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_autocomplete_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_check_cert_revocation_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_http_authentication_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Set Chromium's HTTP Authentication Scheme</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Require Outdated Plugins to be Authorized</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_http_authentication_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable All Extensions by Default</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Network Prediction</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable the Safe Browsing Feature</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_session_cookies_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Session Cookies</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_session_cookies_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_enable_browser_history_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Saving the Browser History</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Incognito Mode</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_enable_browser_history_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Network Prediction</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-chromium_whitelist_plugin_urls_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Plugins for Only Approved URLs</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │    </ocil:questionnaires>
│ │ │ │    <ocil:test_actions>
│ │ │ │      <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_google_sync_action:testaction:1" question_ref="ocil:ssg-chromium_disable_google_sync_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1" question_ref="ocil:ssg-chromium_disable_3d_graphics_api_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1" question_ref="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1" question_ref="ocil:ssg-chromium_disable_3d_graphics_api_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_block_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_saved_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_thirdparty_cookies_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_policy_file_action:testaction:1" question_ref="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_block_desktop_notifications_action:testaction:1" question_ref="ocil:ssg-chromium_block_desktop_notifications_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_autocomplete_action:testaction:1" question_ref="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1" question_ref="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_popups_action:testaction:1" question_ref="ocil:ssg-chromium_disable_popups_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_browser_history_action:testaction:1" question_ref="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_search_provider_action:testaction:1" question_ref="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1" question_ref="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_thirdparty_cookies_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_extension_whitelist_action:testaction:1" question_ref="ocil:ssg-chromium_extension_whitelist_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_approved_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_approved_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_trusted_home_page_action:testaction:1" question_ref="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_automatic_installation_action:testaction:1" question_ref="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_search_provider_action:testaction:1" question_ref="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1" question_ref="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_block_desktop_notifications_action:testaction:1" question_ref="ocil:ssg-chromium_block_desktop_notifications_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_policy_file_action:testaction:1" question_ref="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_popups_action:testaction:1" question_ref="ocil:ssg-chromium_disable_popups_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_check_cert_revocation_action:testaction:1" question_ref="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_incognito_mode_action:testaction:1" question_ref="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_default_block_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disallow_location_tracking_action:testaction:1" question_ref="ocil:ssg-chromium_disallow_location_tracking_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_extension_whitelist_action:testaction:1" question_ref="ocil:ssg-chromium_extension_whitelist_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_encrypted_searching_action:testaction:1" question_ref="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_background_processing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_password_manager_action:testaction:1" question_ref="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1" question_ref="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_safe_browsing_action:testaction:1" question_ref="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_trusted_home_page_action:testaction:1" question_ref="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disallow_location_tracking_action:testaction:1" question_ref="ocil:ssg-chromium_disallow_location_tracking_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1" question_ref="ocil:ssg-chromium_disable_plugin_blacklist_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_outdated_plugins_action:testaction:1" question_ref="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_http_authentication_action:testaction:1" question_ref="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1" question_ref="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_search_suggestions_action:testaction:1" question_ref="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1" question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1" question_ref="ocil:ssg-chromium_disable_plugin_blacklist_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ @@ -443,87 +443,87 @@
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1" question_ref="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_password_manager_action:testaction:1" question_ref="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_saved_passwords_action:testaction:1" question_ref="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_automatic_installation_action:testaction:1" question_ref="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_search_suggestions_action:testaction:1" question_ref="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1" question_ref="ocil:ssg-chromium_blacklist_extension_installation_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_background_processing_action:testaction:1" question_ref="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1" question_ref="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_autocomplete_action:testaction:1" question_ref="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_check_cert_revocation_action:testaction:1" question_ref="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_http_authentication_action:testaction:1" question_ref="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1" question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1" question_ref="ocil:ssg-chromium_blacklist_extension_installation_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_network_prediction_action:testaction:1" question_ref="ocil:ssg-chromium_disable_network_prediction_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_safe_browsing_action:testaction:1" question_ref="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1" question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_enable_browser_history_action:testaction:1" question_ref="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_incognito_mode_action:testaction:1" question_ref="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-chromium_disable_network_prediction_action:testaction:1" question_ref="ocil:ssg-chromium_disable_network_prediction_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-chromium_whitelist_plugin_urls_action:testaction:1" question_ref="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ @@ -532,266 +532,266 @@
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disable_google_sync_question:question:1">
│ │ │ │        <ocil:question_text>To verify that data synchronization is disabled, run the following command:
│ │ │ │  $ grep SyncDisabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "SyncDisabled": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that metrics reporting is disabled, run the following command:
│ │ │ │ +$ grep MetricsReportingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"MetricsReportingEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disable_3d_graphics_api_question:question:1">
│ │ │ │        <ocil:question_text>To verify that 3D graphics are disabled, run the following command:
│ │ │ │  $ grep Disable3DAPIs /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "Disable3DAPIs": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that importing passwords is disabled, run the following command:
│ │ │ │ +$ grep ImportSavedPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"ImportSavedPasswords": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the Chromium policy file exists, run the following command:
│ │ │ │ +$ ls /etc/chromium/policies/managed
│ │ │ │ +The output should show file(s) ending in .json extension.
│ │ │ │ +For example:
│ │ │ │ +chrome-stig-policy.json
│ │ │ │ +      Is it the case that it does not exist or is not configured correctly?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the AutoFill feature is disabled, run the following command:
│ │ │ │ +$ grep AutoFillEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"AutoFillEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1">
│ │ │ │        <ocil:question_text>To verify that the use of cleartext passwords is disabled, run the following command:
│ │ │ │  $ grep PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "PasswordManagerAllowShowPasswords": false,
│ │ │ │        Is it the case that use of cleartext passwords are not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that plugins cannot run automatically, run the following command:
│ │ │ │ -$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that saving the browser history is enabled, run the following command:
│ │ │ │ +$ grep SavingBrowserHistoryDisabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"DefaultPluginsSetting": 3,
│ │ │ │ -      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │ +"SavingBrowserHistoryDisabled": false,
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the URL of the search engine is set, run the following command:
│ │ │ │ +$ grep DefaultSearchProviderSearchURL /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"DefaultSearchProviderSearchURL": "",
│ │ │ │ +      Is it the case that it is not set?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disable_thirdparty_cookies_question:question:1">
│ │ │ │        <ocil:question_text>To verify that third party cookies are disabled, run the following command:
│ │ │ │  $ grep BlockThirdPartyCookies /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "BlockThirdPartyCookies": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that approved plugins are set, run the following command:
│ │ │ │ +$ grep EnabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"EnabledPlugins": ["approved_plugin1", "approved_plugin2"],
│ │ │ │ +      Is it the case that no plugins exist or it is not set to none?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the defaut home page is set, run the following command:
│ │ │ │ +$ grep HomepageLocation /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"HomepageLocation": "",
│ │ │ │ +      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that users cannot change the default search provider, run the following command:
│ │ │ │ +$ grep DefaultSearchProviderEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"DefaultSearchProviderEnabled": true,
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_block_desktop_notifications_question:question:1">
│ │ │ │        <ocil:question_text>To verify that desktop notification is
│ │ │ │  disabled, run the following command:
│ │ │ │  $ grep DefaultNotificationsSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultNotificationsSetting": 2,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that Chromium's abililty to traverse the system firewall is 
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disable_popups_question:question:1">
│ │ │ │        <ocil:question_text>To verify that pop-ups are disabled, run the following command:
│ │ │ │  $ grep DefaultPopupsSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultPopupsSetting": 2,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_default_search_provider_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that users cannot change the default search provider, run the following command:
│ │ │ │ -$ grep DefaultSearchProviderEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the Cloud Print Sharing feature is disabled, run the following command:
│ │ │ │ +$ grep CloudPrintProxyEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"DefaultSearchProviderEnabled": true,
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +"CloudPrintProxyEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that outdated plugins are disabled, run the following command:
│ │ │ │ -$ grep AllowOutdatedPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_default_block_plugins_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that plugins cannot run automatically, run the following command:
│ │ │ │ +$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"AllowOutdatedPlugins": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +"DefaultPluginsSetting": 3,
│ │ │ │ +      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_extension_whitelist_question:question:1">
│ │ │ │        <ocil:question_text>To verify that approved extensions are whitelisted, run the following command:
│ │ │ │  $ grep ExtensionInstallWhitelist /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "ExtensionInstallWhitelist": [""],
│ │ │ │        Is it the case that approved extensions are not set?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_enable_approved_plugins_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that approved plugins are set, run the following command:
│ │ │ │ -$ grep EnabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"EnabledPlugins": ["approved_plugin1", "approved_plugin2"],
│ │ │ │ -      Is it the case that no plugins exist or it is not set to none?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that plugins cannot be automatically installed, run the following command:
│ │ │ │ -$ grep DisablePluginFinder /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that background processing is disabled, run the following command:
│ │ │ │ +$ grep BackgroundModeEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"DisablePluginFinder": true,
│ │ │ │ +"BackgroundModeEnabled": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that metrics reporting is disabled, run the following command:
│ │ │ │ -$ grep MetricsReportingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_firewall_traversal_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that Chromium's abililty to traverse the system firewall is 
│ │ │ │ +disabled, run the following command:
│ │ │ │ +$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"MetricsReportingEnabled": false,
│ │ │ │ +"RemoteAccessHostFirewallTraversal": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_policy_file_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the Chromium policy file exists, run the following command:
│ │ │ │ -$ ls /etc/chromium/policies/managed
│ │ │ │ -The output should show file(s) ending in .json extension.
│ │ │ │ -For example:
│ │ │ │ -chrome-stig-policy.json
│ │ │ │ -      Is it the case that it does not exist or is not configured correctly?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that online OCSP/CRL checks are enabled, run the following command:
│ │ │ │ -$ grep EnableOnlineRevocationChecks /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the safe browsing feature is enabled, run the following command:
│ │ │ │ +$ grep SafeBrowsingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"EnableOnlineRevocationChecks": true,
│ │ │ │ +"SafeBrowsingEnabled": true,
│ │ │ │        Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that incognito mode is disabled, run the following command:
│ │ │ │ -$ grep IncognitoModeAvailability /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"IncognitoModeAvailability": 1,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disallow_location_tracking_question:question:1">
│ │ │ │        <ocil:question_text>To verify that location tracking is disabled, run the following command:
│ │ │ │  $ grep DefaultGeolocationSetting /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultGeolocationSetting": 2,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_enable_encrypted_searching_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the URL of the search engine is set, run the following command:
│ │ │ │ -$ grep DefaultSearchProviderSearchURL /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"DefaultSearchProviderSearchURL": "",
│ │ │ │ -      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the use of Password Manager is disabled, run the following command:
│ │ │ │ -$ grep PasswordManagerEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_outdated_plugins_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that outdated plugins are disabled, run the following command:
│ │ │ │ +$ grep AllowOutdatedPlugins /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"PasswordManagerEnabled": false,
│ │ │ │ +"AllowOutdatedPlugins": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that sessions cookies for approved sites only are enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ grep CookiesSessionOnlyForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the HTTP Authentication Scheme is set, run the following command:
│ │ │ │ +$ grep AuthSchemes /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"CookiesSessionOnlyForUrls": ["none"],
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +"AuthSchemes": "",
│ │ │ │ +      Is it the case that it is not set?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_trusted_home_page_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the defaut home page is set, run the following command:
│ │ │ │ -$ grep HomepageLocation /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that search suggestion is disabled, run the following command:
│ │ │ │ +$ grep SearchSuggestEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"HomepageLocation": "",
│ │ │ │ -      Is it the case that it is not set correctly?</ocil:question_text>
│ │ │ │ +"SearchSuggestEnabled": false,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disable_plugin_blacklist_question:question:1">
│ │ │ │        <ocil:question_text>To verify that all plugins are blacklisted, run the following command:
│ │ │ │  $ grep DisabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DisabledPlugins": ["*"],
│ │ │ │        Is it the case that they are not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_cloud_print_sharing_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the Cloud Print Sharing feature is disabled, run the following command:
│ │ │ │ -$ grep CloudPrintProxyEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"CloudPrintProxyEnabled": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that data synchronization is disabled, run the following command:
│ │ │ │ -$ grep URLBlacklist /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"URLBlacklist": [""],
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that plugins require authorization to run, run the following command:
│ │ │ │ -$ grep AlwaysAuthorizePlugins /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"AlwaysAuthorizePlugins": false,
│ │ │ │ -      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_default_search_provider_name_question:question:1">
│ │ │ │        <ocil:question_text>To verify that a default search provider is set, run the following command:
│ │ │ │  $ grep DefaultSearchProviderName /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DefaultSearchProviderName": "",
│ │ │ │        Is it the case that a default search provider is not set?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that plugins are allowed for only approved URLs, 
│ │ │ │ -run the following command:
│ │ │ │ -$ grep PluginsAllowedForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"PluginsAllowedForUrls": ["[*.]mil", "[*.]example.com", "www.example.com"],
│ │ │ │ -      Is it the case that no urls exist or it is not set to none?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_saved_passwords_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that importing passwords is disabled, run the following command:
│ │ │ │ -$ grep ImportSavedPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"ImportSavedPasswords": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_search_suggestions_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that search suggestion is disabled, run the following command:
│ │ │ │ -$ grep SearchSuggestEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"SearchSuggestEnabled": false,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_background_processing_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that background processing is disabled, run the following command:
│ │ │ │ -$ grep BackgroundModeEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_password_manager_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the use of Password Manager is disabled, run the following command:
│ │ │ │ +$ grep PasswordManagerEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"BackgroundModeEnabled": false,
│ │ │ │ +"PasswordManagerEnabled": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_disable_autocomplete_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the AutoFill feature is disabled, run the following command:
│ │ │ │ -$ grep AutoFillEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_automatic_installation_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that plugins cannot be automatically installed, run the following command:
│ │ │ │ +$ grep DisablePluginFinder /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"AutoFillEnabled": false,
│ │ │ │ +"DisablePluginFinder": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_http_authentication_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the HTTP Authentication Scheme is set, run the following command:
│ │ │ │ -$ grep AuthSchemes /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"AuthSchemes": "",
│ │ │ │ -      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_blacklist_extension_installation_question:question:1">
│ │ │ │        <ocil:question_text>To verify that all extensions are blacklisted from installing, run the following command:
│ │ │ │  $ grep ExtensionInstallBlacklist /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "ExtensionInstallBlacklist": ["*"],
│ │ │ │        Is it the case that extensions are not blacklisted?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_enable_safe_browsing_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the safe browsing feature is enabled, run the following command:
│ │ │ │ -$ grep SafeBrowsingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_protocol_schemas_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that data synchronization is disabled, run the following command:
│ │ │ │ +$ grep URLBlacklist /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"SafeBrowsingEnabled": true,
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +"URLBlacklist": [""],
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-chromium_enable_browser_history_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that saving the browser history is enabled, run the following command:
│ │ │ │ -$ grep SavingBrowserHistoryDisabled /etc/chromium/policies/managed/*.json
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_check_cert_revocation_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that online OCSP/CRL checks are enabled, run the following command:
│ │ │ │ +$ grep EnableOnlineRevocationChecks /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │ -"SavingBrowserHistoryDisabled": false,
│ │ │ │ +"EnableOnlineRevocationChecks": true,
│ │ │ │        Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that plugins require authorization to run, run the following command:
│ │ │ │ +$ grep AlwaysAuthorizePlugins /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"AlwaysAuthorizePlugins": false,
│ │ │ │ +      Is it the case that it is not set?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-chromium_disable_network_prediction_question:question:1">
│ │ │ │        <ocil:question_text>To verify that network prediction is disabled, run the following command:
│ │ │ │  $ grep DnsPrefetchingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │  The output should contain:
│ │ │ │  "DnsPrefetchingEnabled": false,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_session_cookies_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that sessions cookies for approved sites only are enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ grep CookiesSessionOnlyForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"CookiesSessionOnlyForUrls": ["none"],
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_disable_incognito_mode_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that incognito mode is disabled, run the following command:
│ │ │ │ +$ grep IncognitoModeAvailability /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"IncognitoModeAvailability": 1,
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-chromium_whitelist_plugin_urls_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that plugins are allowed for only approved URLs, 
│ │ │ │ +run the following command:
│ │ │ │ +$ grep PluginsAllowedForUrls /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"PluginsAllowedForUrls": ["[*.]mil", "[*.]example.com", "www.example.com"],
│ │ │ │ +      Is it the case that no urls exist or it is not set to none?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │    </ocil:questions>
│ │ │ │  </ocil:ocil>
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -2175,321 +2175,321 @@
│ │ │ │        <ocil:generator>
│ │ │ │          <ocil:product_name>build_shorthand.py from SCAP Security Guide</ocil:product_name>
│ │ │ │          <ocil:product_version>ssg: 0.1.76</ocil:product_version>
│ │ │ │          <ocil:schema_version>2.0</ocil:schema_version>
│ │ │ │          <ocil:timestamp>2025-03-01T08:08:00</ocil:timestamp>
│ │ │ │        </ocil:generator>
│ │ │ │        <ocil:questionnaires>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-registry_access_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Minimize user access to Amazon ECR</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-image_scanning_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure Image Vulnerability Scanning</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-image_scanning_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-dedicated_service_accounts_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Use Dedicated Service Accounts</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Verify Group Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-dedicated_service_accounts_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_enable_protect_kernel_defaults_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Enable Protect Kernel Defaults</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Verify Permissions on the Worker Kubeconfig File</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-audit_logging_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure Audit Logging is Enabled</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-read_only_registry_access_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure Cluster Service Account with read-only access to Amazon ECR</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-audit_logging_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-read_only_registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Verify User Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-file_owner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-endpoint_configuration_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure Private Endpoint Access</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure authorization is set to Webhook</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-endpoint_configuration_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-secret_encryption_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure Kubernetes Secrets are Encrypted</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-registry_access_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Minimize user access to Amazon ECR</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-secret_encryption_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Verify Permissions on the Worker Kubeconfig File</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Verify User Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-endpoint_configuration_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure Private Endpoint Access</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-endpoint_configuration_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Verify Group Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-private_nodes_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure Cluster Private Nodes</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-private_nodes_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-fargate_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Consider Fargate for Untrusted Workloads</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-fargate_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure that application Namespaces have Network Policies defined.</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-approved_registries_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Only use approved container registries</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-configure_network_policies_namespaces_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-approved_registries_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Verify Group Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-configure_tls_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Encrypt Traffic to Load Balancers and Workloads</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-configure_tls_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-kubelet_anonymous_auth_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Disable Anonymous Authentication to the Kubelet</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-kubelet_anonymous_auth_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-iam_integration_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Manage Users with AWS IAM</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Verify User Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-iam_integration_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-private_nodes_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure Cluster Private Nodes</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-private_nodes_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-iam_integration_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Manage Users with AWS IAM</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-iam_integration_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure authorization is set to Webhook</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Verify Group Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-configure_tls_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Encrypt Traffic to Load Balancers and Workloads</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-configure_tls_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-configure_network_policy_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure Network Policy is Enabled</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-fargate_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Consider Fargate for Untrusted Workloads</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-configure_network_policy_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-fargate_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Verify User Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-file_owner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-approved_registries_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Only use approved container registries</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_enable_client_cert_rotation_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Enable Client Certificate Rotation</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-approved_registries_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-dedicated_service_accounts_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Use Dedicated Service Accounts</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-dedicated_service_accounts_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-image_scanning_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure Image Vulnerability Scanning</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-configure_network_policy_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure Network Policy is Enabled</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-image_scanning_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-configure_network_policy_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-read_only_registry_access_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure Cluster Service Account with read-only access to Amazon ECR</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-control_plane_access_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Restrict Access to the Control Plane Endpoint</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-read_only_registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-control_plane_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-secret_encryption_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure Kubernetes Secrets are Encrypted</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-secret_encryption_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Verify Permissions on The Kubelet Configuration File</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-file_permissions_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-kubelet_enable_client_cert_rotation_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>kubelet - Enable Client Certificate Rotation</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure that application Namespaces have Network Policies defined.</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-configure_network_policies_namespaces_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Verify Permissions on The Kubelet Configuration File</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-audit_logging_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure Audit Logging is Enabled</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-file_permissions_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-audit_logging_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-control_plane_access_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Restrict Access to the Control Plane Endpoint</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-kubelet_enable_protect_kernel_defaults_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>kubelet - Enable Protect Kernel Defaults</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-control_plane_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │        </ocil:questionnaires>
│ │ │ │        <ocil:test_actions>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-registry_access_action:testaction:1" question_ref="ocil:ssg-registry_access_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-image_scanning_action:testaction:1" question_ref="ocil:ssg-image_scanning_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-dedicated_service_accounts_action:testaction:1" question_ref="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-audit_logging_action:testaction:1" question_ref="ocil:ssg-audit_logging_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-read_only_registry_access_action:testaction:1" question_ref="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-endpoint_configuration_action:testaction:1" question_ref="ocil:ssg-endpoint_configuration_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-secret_encryption_action:testaction:1" question_ref="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-registry_access_action:testaction:1" question_ref="ocil:ssg-registry_access_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-endpoint_configuration_action:testaction:1" question_ref="ocil:ssg-endpoint_configuration_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-private_nodes_action:testaction:1" question_ref="ocil:ssg-private_nodes_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-fargate_action:testaction:1" question_ref="ocil:ssg-fargate_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policies_namespaces_action:testaction:1" question_ref="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-approved_registries_action:testaction:1" question_ref="ocil:ssg-approved_registries_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-configure_tls_action:testaction:1" question_ref="ocil:ssg-configure_tls_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ @@ -2497,144 +2497,237 @@
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-iam_integration_action:testaction:1" question_ref="ocil:ssg-iam_integration_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-private_nodes_action:testaction:1" question_ref="ocil:ssg-private_nodes_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-iam_integration_action:testaction:1" question_ref="ocil:ssg-iam_integration_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-configure_tls_action:testaction:1" question_ref="ocil:ssg-configure_tls_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policy_action:testaction:1" question_ref="ocil:ssg-configure_network_policy_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-fargate_action:testaction:1" question_ref="ocil:ssg-fargate_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-approved_registries_action:testaction:1" question_ref="ocil:ssg-approved_registries_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-dedicated_service_accounts_action:testaction:1" question_ref="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-image_scanning_action:testaction:1" question_ref="ocil:ssg-image_scanning_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policy_action:testaction:1" question_ref="ocil:ssg-configure_network_policy_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-read_only_registry_access_action:testaction:1" question_ref="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-control_plane_access_action:testaction:1" question_ref="ocil:ssg-control_plane_access_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-secret_encryption_action:testaction:1" question_ref="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policies_namespaces_action:testaction:1" question_ref="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-audit_logging_action:testaction:1" question_ref="ocil:ssg-audit_logging_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-control_plane_access_action:testaction:1" question_ref="ocil:ssg-control_plane_access_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │        </ocil:test_actions>
│ │ │ │        <ocil:questions>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-image_scanning_question:question:1">
│ │ │ │ +          <ocil:question_text>Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ +for enabling Image Scanning.
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │ +
│ │ │ │ +To create a repository configured for scan on push (AWS CLI)
│ │ │ │ +
│ │ │ │ +aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ +
│ │ │ │ +To edit the settings of an existing repository (AWS CLI)
│ │ │ │ +
│ │ │ │ +aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ +
│ │ │ │ +Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ +
│ │ │ │ +1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ +2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ +3. In the navigation pane, choose Repositories.
│ │ │ │ +4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ +5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ +      Is it the case that image vulnerability scanning is enabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │ +          <ocil:question_text>To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ +      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ +and make sure it outputs 0.
│ │ │ │ +      Is it the case that readOnlyPort is not secured?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ +The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ +      Is it the case that no client CA certificate has been configured?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │ +          <ocil:question_text>Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ +to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ +3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ +required to interact with the cluster - generally this should be read-only.
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ +the following prerequisites.
│ │ │ │ +The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ +worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ +ECR.
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +{
│ │ │ │ +  "Version": "2012-10-17",
│ │ │ │ +  "Statement": [
│ │ │ │ +    {
│ │ │ │ +      "Effect": "Allow",
│ │ │ │ +      "Action": [
│ │ │ │ +        "ecr:BatchCheckLayerAvailability",
│ │ │ │ +        "ecr:BatchGetImage",
│ │ │ │ +        "ecr:GetDownloadUrlForLayer",
│ │ │ │ +        "ecr:GetAuthorizationToken"
│ │ │ │ +      ],
│ │ │ │ +      "Resource": "*"
│ │ │ │ +    }
│ │ │ │ +  ]
│ │ │ │ +}
│ │ │ │ +
│ │ │ │ +      Is it the case that Cluster Service Account has read-only access to Amazon ECR?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │ +          <ocil:question_text>To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ +      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ +Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ +(defaults to mode: Webhook).
│ │ │ │ +      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-registry_access_question:question:1">
│ │ │ │            <ocil:question_text>Remediation:
│ │ │ │  
│ │ │ │  Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │  IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │  of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │  Work with IAM in the IAM User Guide.
│ │ │ │ @@ -2724,154 +2817,115 @@
│ │ │ │  condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │  see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │  Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │  and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │  Elastic Container Registry.
│ │ │ │        Is it the case that access to the container image registry is restricted?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │ -          <ocil:question_text>Audit:
│ │ │ │ -
│ │ │ │ -For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ -service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ -apart from the defaults. Additionally ensure that the
│ │ │ │ -automountServiceAccountToken: false setting is in place for each
│ │ │ │ -default service account.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ -
│ │ │ │ -With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ -an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ -provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ -account. With this feature, you no longer need to provide extended
│ │ │ │ -permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ -AWS APIs.
│ │ │ │ -Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ -feature provides a strategy for managing credentials for your applications,
│ │ │ │ -similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ -Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ -credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ -can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ -in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ -requests to authorized AWS services.
│ │ │ │ -
│ │ │ │ -The IAM roles for service accounts feature provides the following benefits:
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -  Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ -  you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ -  role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ -  permissions to a service account, and only pods that use that service
│ │ │ │ -  account have access to those permissions. This feature also eliminates the
│ │ │ │ -  need for third-party solutions such as kiam or kube2iam.
│ │ │ │ -  Credential isolation — A container can only retrieve credentials for
│ │ │ │ -  the IAM role that is associated with the service account to which it
│ │ │ │ -  belongs. A container never has access to credentials that are intended for
│ │ │ │ -  another container that belongs to another pod.
│ │ │ │ -  Auditability — Access and event logging is available through CloudTrail
│ │ │ │ -  to help ensure retrospective auditing.
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ -For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ -a DaemonSet to use IAM for service accounts.
│ │ │ │ -      Is it the case that dedicated service accounts are used?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return true.
│ │ │ │ -      Is it the case that the kubelet can modify kernel parameters?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
│ │ │ │            <ocil:question_text>To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │  run the command:
│ │ │ │  $ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │  If properly configured, the output should indicate the following permissions:
│ │ │ │  -rw-r--r--
│ │ │ │        Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-audit_logging_question:question:1">
│ │ │ │ -          <ocil:question_text>Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via the Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Ensure all 5 choices are set to Enabled
│ │ │ │ -Via CLI
│ │ │ │ -aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}"  --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ -
│ │ │ │ -Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via The Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Select Manage Logging from the button on the right hand side
│ │ │ │ -5. Toggle each selection to the Enabled position.
│ │ │ │ -6. Click Save Changes
│ │ │ │ -      Is it the case that audit logging is enable?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ -and make sure it outputs 0.
│ │ │ │ -      Is it the case that readOnlyPort is not secured?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-endpoint_configuration_question:question:1">
│ │ │ │            <ocil:question_text>Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │  Endpoint Access for further information on this topic.
│ │ │ │  https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │        Is it the case that private access is enabled and public access is disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │ -          <ocil:question_text>Audit:
│ │ │ │ -
│ │ │ │ -For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ -'encryptionConfig' configuration when you run:
│ │ │ │ -aws eks describe-cluster --name="cluster-name"
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ +      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-private_nodes_question:question:1">
│ │ │ │ +          <ocil:question_text>To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ +master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ +access to the public internet.
│ │ │ │  
│ │ │ │ -Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ -described in the links within the 'References' section.
│ │ │ │ +If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ +can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ +      Is it the case that clusters are created with private nodes?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ +The output should not return 0.
│ │ │ │ +      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-approved_registries_question:question:1">
│ │ │ │ +          <ocil:question_text>Ensure all containers and images are coming from approved registries.
│ │ │ │  
│ │ │ │  References:
│ │ │ │  
│ │ │ │ -  https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ -  https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ +      Is it the case that container images come from approved registries?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-configure_tls_question:question:1">
│ │ │ │ +          <ocil:question_text>For more information about protecting your workloads using TLS please refer
│ │ │ │ +to the AWS User Guide:
│ │ │ │  
│ │ │ │ -      Is it the case that kubernetes secrets are encrypted in etcd?</ocil:question_text>
│ │ │ │ +https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ +      Is it the case that connections to load balancers and workloads are encrypted with TLS?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_question:question:1">
│ │ │ │            <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains 
│ │ │ │ -The output should return true.
│ │ │ │ -      Is it the case that the kubelet cannot modify the firewall settings?</ocil:question_text>
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ +The output should return enabled: false.
│ │ │ │ +      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
│ │ │ │            <ocil:question_text>To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │  run the command:
│ │ │ │  $ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │  If properly configured, the output should indicate the following owner:
│ │ │ │  root
│ │ │ │        Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │            <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains 
│ │ │ │  The output should return true.
│ │ │ │ -      Is it the case that the kubelet cannot rotate server certificate?</ocil:question_text>
│ │ │ │ +      Is it the case that the kubelet cannot modify the firewall settings?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │ -          <ocil:question_text>To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-iam_integration_question:question:1">
│ │ │ │ +          <ocil:question_text>Audit:
│ │ │ │ +
│ │ │ │ +To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ +yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ +command:
│ │ │ │ +
│ │ │ │ +$ kubectl get role -n $NAMESPACE
│ │ │ │ +The response lists the RBAC role that has access to this Namespace.
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ +documentation.
│ │ │ │ +
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ +      Is it the case that authorization and authentication is managed using AWS IAM?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │ +          <ocil:question_text>To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │  run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │  If properly configured, the output should indicate the following group-owner:
│ │ │ │  root
│ │ │ │ -      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?</ocil:question_text>
│ │ │ │ +      Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ +      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-fargate_question:question:1">
│ │ │ │            <ocil:question_text>Audit:
│ │ │ │  Check the existence of Fargate profiles in the Amazon EKS cluster by using:
│ │ │ │  
│ │ │ │  aws --region ${AWS_REGION} eks list-fargate-profiles --cluster-name ${CLUSTER_NAME}
│ │ │ │  Alternatively, to audit for the presence of a Fargate profile node run the
│ │ │ │ @@ -2933,89 +2987,73 @@
│ │ │ │    the specified namespace that also have the infrastructure: fargate
│ │ │ │    Kubernetes label match the selector. 
│ │ │ │    On the Review and create page, review the information for your Fargate
│ │ │ │    profile and choose Create.
│ │ │ │  
│ │ │ │        Is it the case that untrusted workloads are isolated?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │ -          <ocil:question_text>Verify that the every non-control plane namespace has an appropriate
│ │ │ │ -NetworkPolicy.
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces, you can do the
│ │ │ │ -following command $ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ -following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ -
│ │ │ │ -Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ -
│ │ │ │ -Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ -      Is it the case that Namespaced Network Policies needs review?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │ -          <ocil:question_text>To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ -      Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?</ocil:question_text>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +The output should return true.
│ │ │ │ +      Is it the case that the kubelet cannot rotate server certificate?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_question:question:1">
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │            <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ -The output should return enabled: false.
│ │ │ │ -      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?</ocil:question_text>
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ +      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-iam_integration_question:question:1">
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │            <ocil:question_text>Audit:
│ │ │ │  
│ │ │ │ -To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ -yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ -command:
│ │ │ │ -
│ │ │ │ -$ kubectl get role -n $NAMESPACE
│ │ │ │ -The response lists the RBAC role that has access to this Namespace.
│ │ │ │ +For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ +service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ +apart from the defaults. Additionally ensure that the
│ │ │ │ +automountServiceAccountToken: false setting is in place for each
│ │ │ │ +default service account.
│ │ │ │  
│ │ │ │  Remediation:
│ │ │ │  
│ │ │ │ -Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ -documentation.
│ │ │ │ +With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ +an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ +provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ +account. With this feature, you no longer need to provide extended
│ │ │ │ +permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ +AWS APIs.
│ │ │ │ +Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ +feature provides a strategy for managing credentials for your applications,
│ │ │ │ +similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ +Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ +credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ +can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ +in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ +requests to authorized AWS services.
│ │ │ │  
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ -      Is it the case that authorization and authentication is managed using AWS IAM?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-private_nodes_question:question:1">
│ │ │ │ -          <ocil:question_text>To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ -master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ -access to the public internet.
│ │ │ │ +The IAM roles for service accounts feature provides the following benefits:
│ │ │ │  
│ │ │ │ -If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ -can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ -      Is it the case that clusters are created with private nodes?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ -The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ -      Is it the case that no client CA certificate has been configured?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ -Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ -(defaults to mode: Webhook).
│ │ │ │ -      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-configure_tls_question:question:1">
│ │ │ │ -          <ocil:question_text>For more information about protecting your workloads using TLS please refer
│ │ │ │ -to the AWS User Guide:
│ │ │ │  
│ │ │ │ -https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ -      Is it the case that connections to load balancers and workloads are encrypted with TLS?</ocil:question_text>
│ │ │ │ +  Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ +  you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ +  role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ +  permissions to a service account, and only pods that use that service
│ │ │ │ +  account have access to those permissions. This feature also eliminates the
│ │ │ │ +  need for third-party solutions such as kiam or kube2iam.
│ │ │ │ +  Credential isolation — A container can only retrieve credentials for
│ │ │ │ +  the IAM role that is associated with the service account to which it
│ │ │ │ +  belongs. A container never has access to credentials that are intended for
│ │ │ │ +  another container that belongs to another pod.
│ │ │ │ +  Auditability — Access and event logging is available through CloudTrail
│ │ │ │ +  to help ensure retrospective auditing.
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ +For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ +a DaemonSet to use IAM for service accounts.
│ │ │ │ +      Is it the case that dedicated service accounts are used?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-configure_network_policy_question:question:1">
│ │ │ │            <ocil:question_text>Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │  automatically when a cluster with Network Policy is created, but for an
│ │ │ │  existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │  
│ │ │ │  Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ @@ -3029,120 +3067,14 @@
│ │ │ │  
│ │ │ │  Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │  Specifically, it increases the memory footprint of the kube-system
│ │ │ │  process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │  CPU.
│ │ │ │        Is it the case that network policy is enabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │ -          <ocil:question_text>To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ -      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-approved_registries_question:question:1">
│ │ │ │ -          <ocil:question_text>Ensure all containers and images are coming from approved registries.
│ │ │ │ -
│ │ │ │ -References:
│ │ │ │ -
│ │ │ │ -https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ -      Is it the case that container images come from approved registries?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ -The output should not return 0.
│ │ │ │ -      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-image_scanning_question:question:1">
│ │ │ │ -          <ocil:question_text>Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ -for enabling Image Scanning.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ -
│ │ │ │ -To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │ -
│ │ │ │ -To create a repository configured for scan on push (AWS CLI)
│ │ │ │ -
│ │ │ │ -aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ -
│ │ │ │ -To edit the settings of an existing repository (AWS CLI)
│ │ │ │ -
│ │ │ │ -aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ -
│ │ │ │ -Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ -
│ │ │ │ -1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ -2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ -3. In the navigation pane, choose Repositories.
│ │ │ │ -4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ -5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ -      Is it the case that image vulnerability scanning is enabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │ -          <ocil:question_text>Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ -to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ -3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ -required to interact with the cluster - generally this should be read-only.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ -
│ │ │ │ -You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ -the following prerequisites.
│ │ │ │ -The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ -worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ -ECR.
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -{
│ │ │ │ -  "Version": "2012-10-17",
│ │ │ │ -  "Statement": [
│ │ │ │ -    {
│ │ │ │ -      "Effect": "Allow",
│ │ │ │ -      "Action": [
│ │ │ │ -        "ecr:BatchCheckLayerAvailability",
│ │ │ │ -        "ecr:BatchGetImage",
│ │ │ │ -        "ecr:GetDownloadUrlForLayer",
│ │ │ │ -        "ecr:GetAuthorizationToken"
│ │ │ │ -      ],
│ │ │ │ -      "Resource": "*"
│ │ │ │ -    }
│ │ │ │ -  ]
│ │ │ │ -}
│ │ │ │ -
│ │ │ │ -      Is it the case that Cluster Service Account has read-only access to Amazon ECR?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ -      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ -      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │ -          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ -      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │ -          <ocil:question_text>To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following permissions:
│ │ │ │ --rw-r--r--
│ │ │ │ -      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-control_plane_access_question:question:1">
│ │ │ │            <ocil:question_text>Audit:
│ │ │ │  Input:
│ │ │ │  
│ │ │ │  aws eks describe-cluster \
│ │ │ │  --region region \
│ │ │ │  --name clustername
│ │ │ │ @@ -3191,14 +3123,82 @@
│ │ │ │  --name dev \
│ │ │ │  --resources-vpc-config \
│ │ │ │  endpointPublicAccess=true, \
│ │ │ │  publicAccessCidrs="203.0.113.5/32",\
│ │ │ │  endpointPrivateAccess=true
│ │ │ │        Is it the case that the control plane endpoint is secure?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │ +          <ocil:question_text>Audit:
│ │ │ │ +
│ │ │ │ +For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ +'encryptionConfig' configuration when you run:
│ │ │ │ +aws eks describe-cluster --name="cluster-name"
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ +described in the links within the 'References' section.
│ │ │ │ +
│ │ │ │ +References:
│ │ │ │ +
│ │ │ │ +  https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ +  https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +
│ │ │ │ +      Is it the case that kubernetes secrets are encrypted in etcd?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │ +          <ocil:question_text>To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following permissions:
│ │ │ │ +-rw-r--r--
│ │ │ │ +      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │ +          <ocil:question_text>Verify that the every non-control plane namespace has an appropriate
│ │ │ │ +NetworkPolicy.
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces, you can do the
│ │ │ │ +following command $ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ +following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ +
│ │ │ │ +Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ +
│ │ │ │ +Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ +      Is it the case that Namespaced Network Policies needs review?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-audit_logging_question:question:1">
│ │ │ │ +          <ocil:question_text>Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via the Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Ensure all 5 choices are set to Enabled
│ │ │ │ +Via CLI
│ │ │ │ +aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}"  --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ +
│ │ │ │ +Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via The Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Select Manage Logging from the button on the right hand side
│ │ │ │ +5. Toggle each selection to the Enabled position.
│ │ │ │ +6. Click Save Changes
│ │ │ │ +      Is it the case that audit logging is enable?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │ +          <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return true.
│ │ │ │ +      Is it the case that the kubelet can modify kernel parameters?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │        </ocil:questions>
│ │ │ │      </ocil:ocil>
│ │ │ │    </ds:component>
│ │ │ │    <ds:component id="scap_org.open-scap_comp_ssg-eks-cpe-oval.xml" timestamp="2025-03-01T08:08:00">
│ │ │ │      <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
│ │ │ │        <oval-def:generator>
│ │ │ │          <oval:product_name>build_cpe.py from SCAP Security Guide</oval:product_name>
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,321 +3,321 @@
│ │ │ │    <ocil:generator>
│ │ │ │      <ocil:product_name>build_shorthand.py from SCAP Security Guide</ocil:product_name>
│ │ │ │      <ocil:product_version>ssg: 0.1.76</ocil:product_version>
│ │ │ │      <ocil:schema_version>2.0</ocil:schema_version>
│ │ │ │      <ocil:timestamp>2025-03-01T08:08:00</ocil:timestamp>
│ │ │ │    </ocil:generator>
│ │ │ │    <ocil:questionnaires>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-registry_access_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Minimize user access to Amazon ECR</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-image_scanning_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure Image Vulnerability Scanning</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-image_scanning_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-dedicated_service_accounts_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Use Dedicated Service Accounts</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Verify Group Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-dedicated_service_accounts_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_enable_protect_kernel_defaults_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Enable Protect Kernel Defaults</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Verify Permissions on the Worker Kubeconfig File</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-audit_logging_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure Audit Logging is Enabled</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-read_only_registry_access_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure Cluster Service Account with read-only access to Amazon ECR</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-audit_logging_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-read_only_registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Verify User Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-file_owner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-endpoint_configuration_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure Private Endpoint Access</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure authorization is set to Webhook</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-endpoint_configuration_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-secret_encryption_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure Kubernetes Secrets are Encrypted</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-registry_access_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Minimize user access to Amazon ECR</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-secret_encryption_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Verify Permissions on the Worker Kubeconfig File</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Verify User Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-endpoint_configuration_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure Private Endpoint Access</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-endpoint_configuration_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Verify Group Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-private_nodes_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure Cluster Private Nodes</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-private_nodes_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-fargate_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Consider Fargate for Untrusted Workloads</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-fargate_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure that application Namespaces have Network Policies defined.</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-approved_registries_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Only use approved container registries</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-configure_network_policies_namespaces_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-approved_registries_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Verify Group Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-configure_tls_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Encrypt Traffic to Load Balancers and Workloads</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-configure_tls_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-kubelet_anonymous_auth_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Disable Anonymous Authentication to the Kubelet</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-kubelet_anonymous_auth_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-iam_integration_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Manage Users with AWS IAM</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Verify User Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-iam_integration_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-private_nodes_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure Cluster Private Nodes</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-private_nodes_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-iam_integration_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Manage Users with AWS IAM</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-iam_integration_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure authorization is set to Webhook</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Verify Group Who Owns The Worker Kubeconfig File</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-configure_tls_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Encrypt Traffic to Load Balancers and Workloads</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-configure_tls_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-configure_network_policy_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure Network Policy is Enabled</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-fargate_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Consider Fargate for Untrusted Workloads</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-configure_network_policy_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-fargate_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Verify User Who Owns The Kubelet Configuration File</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-file_owner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-approved_registries_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Only use approved container registries</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_enable_client_cert_rotation_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Enable Client Certificate Rotation</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-approved_registries_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-dedicated_service_accounts_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Use Dedicated Service Accounts</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-dedicated_service_accounts_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-image_scanning_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure Image Vulnerability Scanning</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-configure_network_policy_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure Network Policy is Enabled</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-image_scanning_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-configure_network_policy_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-read_only_registry_access_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure Cluster Service Account with read-only access to Amazon ECR</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-control_plane_access_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Restrict Access to the Control Plane Endpoint</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-read_only_registry_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-control_plane_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-secret_encryption_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure Kubernetes Secrets are Encrypted</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-secret_encryption_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Verify Permissions on The Kubelet Configuration File</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-file_permissions_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-kubelet_enable_client_cert_rotation_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>kubelet - Enable Client Certificate Rotation</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure that application Namespaces have Network Policies defined.</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-configure_network_policies_namespaces_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Verify Permissions on The Kubelet Configuration File</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-audit_logging_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure Audit Logging is Enabled</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-file_permissions_kubelet_conf_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-audit_logging_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-control_plane_access_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Restrict Access to the Control Plane Endpoint</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-kubelet_enable_protect_kernel_defaults_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>kubelet - Enable Protect Kernel Defaults</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-control_plane_access_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │    </ocil:questionnaires>
│ │ │ │    <ocil:test_actions>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-registry_access_action:testaction:1" question_ref="ocil:ssg-registry_access_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-image_scanning_action:testaction:1" question_ref="ocil:ssg-image_scanning_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-dedicated_service_accounts_action:testaction:1" question_ref="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-audit_logging_action:testaction:1" question_ref="ocil:ssg-audit_logging_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-read_only_registry_access_action:testaction:1" question_ref="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-file_owner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-endpoint_configuration_action:testaction:1" question_ref="ocil:ssg-endpoint_configuration_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-secret_encryption_action:testaction:1" question_ref="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-registry_access_action:testaction:1" question_ref="ocil:ssg-registry_access_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-endpoint_configuration_action:testaction:1" question_ref="ocil:ssg-endpoint_configuration_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-private_nodes_action:testaction:1" question_ref="ocil:ssg-private_nodes_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-fargate_action:testaction:1" question_ref="ocil:ssg-fargate_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policies_namespaces_action:testaction:1" question_ref="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-approved_registries_action:testaction:1" question_ref="ocil:ssg-approved_registries_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-configure_tls_action:testaction:1" question_ref="ocil:ssg-configure_tls_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ @@ -325,144 +325,237 @@
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-iam_integration_action:testaction:1" question_ref="ocil:ssg-iam_integration_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-private_nodes_action:testaction:1" question_ref="ocil:ssg-private_nodes_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-iam_integration_action:testaction:1" question_ref="ocil:ssg-iam_integration_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-configure_tls_action:testaction:1" question_ref="ocil:ssg-configure_tls_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policy_action:testaction:1" question_ref="ocil:ssg-configure_network_policy_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-fargate_action:testaction:1" question_ref="ocil:ssg-fargate_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-file_owner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-approved_registries_action:testaction:1" question_ref="ocil:ssg-approved_registries_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-dedicated_service_accounts_action:testaction:1" question_ref="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-image_scanning_action:testaction:1" question_ref="ocil:ssg-image_scanning_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policy_action:testaction:1" question_ref="ocil:ssg-configure_network_policy_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-read_only_registry_access_action:testaction:1" question_ref="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-control_plane_access_action:testaction:1" question_ref="ocil:ssg-control_plane_access_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-secret_encryption_action:testaction:1" question_ref="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policies_namespaces_action:testaction:1" question_ref="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-audit_logging_action:testaction:1" question_ref="ocil:ssg-audit_logging_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-control_plane_access_action:testaction:1" question_ref="ocil:ssg-control_plane_access_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │    </ocil:test_actions>
│ │ │ │    <ocil:questions>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-image_scanning_question:question:1">
│ │ │ │ +      <ocil:question_text>Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ +for enabling Image Scanning.
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │ +
│ │ │ │ +To create a repository configured for scan on push (AWS CLI)
│ │ │ │ +
│ │ │ │ +aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ +
│ │ │ │ +To edit the settings of an existing repository (AWS CLI)
│ │ │ │ +
│ │ │ │ +aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ +
│ │ │ │ +Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ +
│ │ │ │ +1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ +2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ +3. In the navigation pane, choose Repositories.
│ │ │ │ +4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ +5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ +      Is it the case that image vulnerability scanning is enabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │ +      <ocil:question_text>To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ +      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ +and make sure it outputs 0.
│ │ │ │ +      Is it the case that readOnlyPort is not secured?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ +The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ +      Is it the case that no client CA certificate has been configured?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │ +      <ocil:question_text>Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ +to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ +3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ +required to interact with the cluster - generally this should be read-only.
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ +the following prerequisites.
│ │ │ │ +The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ +worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ +ECR.
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +{
│ │ │ │ +  "Version": "2012-10-17",
│ │ │ │ +  "Statement": [
│ │ │ │ +    {
│ │ │ │ +      "Effect": "Allow",
│ │ │ │ +      "Action": [
│ │ │ │ +        "ecr:BatchCheckLayerAvailability",
│ │ │ │ +        "ecr:BatchGetImage",
│ │ │ │ +        "ecr:GetDownloadUrlForLayer",
│ │ │ │ +        "ecr:GetAuthorizationToken"
│ │ │ │ +      ],
│ │ │ │ +      "Resource": "*"
│ │ │ │ +    }
│ │ │ │ +  ]
│ │ │ │ +}
│ │ │ │ +
│ │ │ │ +      Is it the case that Cluster Service Account has read-only access to Amazon ECR?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │ +      <ocil:question_text>To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ +      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ +Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ +(defaults to mode: Webhook).
│ │ │ │ +      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-registry_access_question:question:1">
│ │ │ │        <ocil:question_text>Remediation:
│ │ │ │  
│ │ │ │  Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │  IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │  of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │  Work with IAM in the IAM User Guide.
│ │ │ │ @@ -552,154 +645,115 @@
│ │ │ │  condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │  see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │  Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │  and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │  Elastic Container Registry.
│ │ │ │        Is it the case that access to the container image registry is restricted?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │ -      <ocil:question_text>Audit:
│ │ │ │ -
│ │ │ │ -For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ -service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ -apart from the defaults. Additionally ensure that the
│ │ │ │ -automountServiceAccountToken: false setting is in place for each
│ │ │ │ -default service account.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ -
│ │ │ │ -With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ -an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ -provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ -account. With this feature, you no longer need to provide extended
│ │ │ │ -permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ -AWS APIs.
│ │ │ │ -Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ -feature provides a strategy for managing credentials for your applications,
│ │ │ │ -similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ -Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ -credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ -can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ -in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ -requests to authorized AWS services.
│ │ │ │ -
│ │ │ │ -The IAM roles for service accounts feature provides the following benefits:
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -  Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ -  you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ -  role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ -  permissions to a service account, and only pods that use that service
│ │ │ │ -  account have access to those permissions. This feature also eliminates the
│ │ │ │ -  need for third-party solutions such as kiam or kube2iam.
│ │ │ │ -  Credential isolation — A container can only retrieve credentials for
│ │ │ │ -  the IAM role that is associated with the service account to which it
│ │ │ │ -  belongs. A container never has access to credentials that are intended for
│ │ │ │ -  another container that belongs to another pod.
│ │ │ │ -  Auditability — Access and event logging is available through CloudTrail
│ │ │ │ -  to help ensure retrospective auditing.
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ -For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ -a DaemonSet to use IAM for service accounts.
│ │ │ │ -      Is it the case that dedicated service accounts are used?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return true.
│ │ │ │ -      Is it the case that the kubelet can modify kernel parameters?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
│ │ │ │        <ocil:question_text>To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │  run the command:
│ │ │ │  $ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │  If properly configured, the output should indicate the following permissions:
│ │ │ │  -rw-r--r--
│ │ │ │        Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-audit_logging_question:question:1">
│ │ │ │ -      <ocil:question_text>Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via the Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Ensure all 5 choices are set to Enabled
│ │ │ │ -Via CLI
│ │ │ │ -aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}"  --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ -
│ │ │ │ -Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via The Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Select Manage Logging from the button on the right hand side
│ │ │ │ -5. Toggle each selection to the Enabled position.
│ │ │ │ -6. Click Save Changes
│ │ │ │ -      Is it the case that audit logging is enable?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ -and make sure it outputs 0.
│ │ │ │ -      Is it the case that readOnlyPort is not secured?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-endpoint_configuration_question:question:1">
│ │ │ │        <ocil:question_text>Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │  Endpoint Access for further information on this topic.
│ │ │ │  https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │        Is it the case that private access is enabled and public access is disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │ -      <ocil:question_text>Audit:
│ │ │ │ -
│ │ │ │ -For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ -'encryptionConfig' configuration when you run:
│ │ │ │ -aws eks describe-cluster --name="cluster-name"
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ +      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-private_nodes_question:question:1">
│ │ │ │ +      <ocil:question_text>To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ +master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ +access to the public internet.
│ │ │ │  
│ │ │ │ -Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ -described in the links within the 'References' section.
│ │ │ │ +If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ +can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ +      Is it the case that clusters are created with private nodes?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ +The output should not return 0.
│ │ │ │ +      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-approved_registries_question:question:1">
│ │ │ │ +      <ocil:question_text>Ensure all containers and images are coming from approved registries.
│ │ │ │  
│ │ │ │  References:
│ │ │ │  
│ │ │ │ -  https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ -  https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ +      Is it the case that container images come from approved registries?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-configure_tls_question:question:1">
│ │ │ │ +      <ocil:question_text>For more information about protecting your workloads using TLS please refer
│ │ │ │ +to the AWS User Guide:
│ │ │ │  
│ │ │ │ -      Is it the case that kubernetes secrets are encrypted in etcd?</ocil:question_text>
│ │ │ │ +https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ +      Is it the case that connections to load balancers and workloads are encrypted with TLS?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_question:question:1">
│ │ │ │        <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains 
│ │ │ │ -The output should return true.
│ │ │ │ -      Is it the case that the kubelet cannot modify the firewall settings?</ocil:question_text>
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ +The output should return enabled: false.
│ │ │ │ +      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
│ │ │ │        <ocil:question_text>To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │  run the command:
│ │ │ │  $ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │  If properly configured, the output should indicate the following owner:
│ │ │ │  root
│ │ │ │        Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
│ │ │ │        <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains 
│ │ │ │  The output should return true.
│ │ │ │ -      Is it the case that the kubelet cannot rotate server certificate?</ocil:question_text>
│ │ │ │ +      Is it the case that the kubelet cannot modify the firewall settings?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
│ │ │ │ -      <ocil:question_text>To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-iam_integration_question:question:1">
│ │ │ │ +      <ocil:question_text>Audit:
│ │ │ │ +
│ │ │ │ +To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ +yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ +command:
│ │ │ │ +
│ │ │ │ +$ kubectl get role -n $NAMESPACE
│ │ │ │ +The response lists the RBAC role that has access to this Namespace.
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ +documentation.
│ │ │ │ +
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ +      Is it the case that authorization and authentication is managed using AWS IAM?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │ +      <ocil:question_text>To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │  run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │  If properly configured, the output should indicate the following group-owner:
│ │ │ │  root
│ │ │ │ -      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?</ocil:question_text>
│ │ │ │ +      Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ +      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-fargate_question:question:1">
│ │ │ │        <ocil:question_text>Audit:
│ │ │ │  Check the existence of Fargate profiles in the Amazon EKS cluster by using:
│ │ │ │  
│ │ │ │  aws --region ${AWS_REGION} eks list-fargate-profiles --cluster-name ${CLUSTER_NAME}
│ │ │ │  Alternatively, to audit for the presence of a Fargate profile node run the
│ │ │ │ @@ -761,89 +815,73 @@
│ │ │ │    the specified namespace that also have the infrastructure: fargate
│ │ │ │    Kubernetes label match the selector. 
│ │ │ │    On the Review and create page, review the information for your Fargate
│ │ │ │    profile and choose Create.
│ │ │ │  
│ │ │ │        Is it the case that untrusted workloads are isolated?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │ -      <ocil:question_text>Verify that the every non-control plane namespace has an appropriate
│ │ │ │ -NetworkPolicy.
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces, you can do the
│ │ │ │ -following command $ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ -following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ -
│ │ │ │ -Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ -
│ │ │ │ -Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ -      Is it the case that Namespaced Network Policies needs review?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
│ │ │ │ -      <ocil:question_text>To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ -      Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?</ocil:question_text>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +The output should return true.
│ │ │ │ +      Is it the case that the kubelet cannot rotate server certificate?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_question:question:1">
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │        <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ -The output should return enabled: false.
│ │ │ │ -      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?</ocil:question_text>
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ +      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-iam_integration_question:question:1">
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-dedicated_service_accounts_question:question:1">
│ │ │ │        <ocil:question_text>Audit:
│ │ │ │  
│ │ │ │ -To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ -yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ -command:
│ │ │ │ -
│ │ │ │ -$ kubectl get role -n $NAMESPACE
│ │ │ │ -The response lists the RBAC role that has access to this Namespace.
│ │ │ │ +For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ +service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ +apart from the defaults. Additionally ensure that the
│ │ │ │ +automountServiceAccountToken: false setting is in place for each
│ │ │ │ +default service account.
│ │ │ │  
│ │ │ │  Remediation:
│ │ │ │  
│ │ │ │ -Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ -documentation.
│ │ │ │ +With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ +an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ +provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ +account. With this feature, you no longer need to provide extended
│ │ │ │ +permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ +AWS APIs.
│ │ │ │ +Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ +feature provides a strategy for managing credentials for your applications,
│ │ │ │ +similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ +Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ +credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ +can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ +in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ +requests to authorized AWS services.
│ │ │ │  
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ -      Is it the case that authorization and authentication is managed using AWS IAM?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-private_nodes_question:question:1">
│ │ │ │ -      <ocil:question_text>To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ -master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ -access to the public internet.
│ │ │ │ +The IAM roles for service accounts feature provides the following benefits:
│ │ │ │  
│ │ │ │ -If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ -can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ -      Is it the case that clusters are created with private nodes?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ -The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ -      Is it the case that no client CA certificate has been configured?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ -Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ -(defaults to mode: Webhook).
│ │ │ │ -      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-configure_tls_question:question:1">
│ │ │ │ -      <ocil:question_text>For more information about protecting your workloads using TLS please refer
│ │ │ │ -to the AWS User Guide:
│ │ │ │  
│ │ │ │ -https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ -      Is it the case that connections to load balancers and workloads are encrypted with TLS?</ocil:question_text>
│ │ │ │ +  Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ +  you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ +  role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ +  permissions to a service account, and only pods that use that service
│ │ │ │ +  account have access to those permissions. This feature also eliminates the
│ │ │ │ +  need for third-party solutions such as kiam or kube2iam.
│ │ │ │ +  Credential isolation — A container can only retrieve credentials for
│ │ │ │ +  the IAM role that is associated with the service account to which it
│ │ │ │ +  belongs. A container never has access to credentials that are intended for
│ │ │ │ +  another container that belongs to another pod.
│ │ │ │ +  Auditability — Access and event logging is available through CloudTrail
│ │ │ │ +  to help ensure retrospective auditing.
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ +For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ +a DaemonSet to use IAM for service accounts.
│ │ │ │ +      Is it the case that dedicated service accounts are used?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-configure_network_policy_question:question:1">
│ │ │ │        <ocil:question_text>Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │  automatically when a cluster with Network Policy is created, but for an
│ │ │ │  existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │  
│ │ │ │  Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ @@ -857,120 +895,14 @@
│ │ │ │  
│ │ │ │  Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │  Specifically, it increases the memory footprint of the kube-system
│ │ │ │  process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │  CPU.
│ │ │ │        Is it the case that network policy is enabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-file_owner_kubelet_conf_question:question:1">
│ │ │ │ -      <ocil:question_text>To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ -      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-approved_registries_question:question:1">
│ │ │ │ -      <ocil:question_text>Ensure all containers and images are coming from approved registries.
│ │ │ │ -
│ │ │ │ -References:
│ │ │ │ -
│ │ │ │ -https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ -      Is it the case that container images come from approved registries?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ -The output should not return 0.
│ │ │ │ -      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-image_scanning_question:question:1">
│ │ │ │ -      <ocil:question_text>Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ -for enabling Image Scanning.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ -
│ │ │ │ -To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │ -
│ │ │ │ -To create a repository configured for scan on push (AWS CLI)
│ │ │ │ -
│ │ │ │ -aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ -
│ │ │ │ -To edit the settings of an existing repository (AWS CLI)
│ │ │ │ -
│ │ │ │ -aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ -
│ │ │ │ -Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ -
│ │ │ │ -1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ -2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ -3. In the navigation pane, choose Repositories.
│ │ │ │ -4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ -5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ -      Is it the case that image vulnerability scanning is enabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-read_only_registry_access_question:question:1">
│ │ │ │ -      <ocil:question_text>Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ -to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ -3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ -required to interact with the cluster - generally this should be read-only.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ -
│ │ │ │ -You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ -the following prerequisites.
│ │ │ │ -The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ -worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ -ECR.
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -{
│ │ │ │ -  "Version": "2012-10-17",
│ │ │ │ -  "Statement": [
│ │ │ │ -    {
│ │ │ │ -      "Effect": "Allow",
│ │ │ │ -      "Action": [
│ │ │ │ -        "ecr:BatchCheckLayerAvailability",
│ │ │ │ -        "ecr:BatchGetImage",
│ │ │ │ -        "ecr:GetDownloadUrlForLayer",
│ │ │ │ -        "ecr:GetAuthorizationToken"
│ │ │ │ -      ],
│ │ │ │ -      "Resource": "*"
│ │ │ │ -    }
│ │ │ │ -  ]
│ │ │ │ -}
│ │ │ │ -
│ │ │ │ -      Is it the case that Cluster Service Account has read-only access to Amazon ECR?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ -      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ -      Is it the case that the streaming connection timeouts are not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
│ │ │ │ -      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ -      Is it the case that the kubelet cannot rotate client certificate?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │ -      <ocil:question_text>To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following permissions:
│ │ │ │ --rw-r--r--
│ │ │ │ -      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-control_plane_access_question:question:1">
│ │ │ │        <ocil:question_text>Audit:
│ │ │ │  Input:
│ │ │ │  
│ │ │ │  aws eks describe-cluster \
│ │ │ │  --region region \
│ │ │ │  --name clustername
│ │ │ │ @@ -1019,9 +951,77 @@
│ │ │ │  --name dev \
│ │ │ │  --resources-vpc-config \
│ │ │ │  endpointPublicAccess=true, \
│ │ │ │  publicAccessCidrs="203.0.113.5/32",\
│ │ │ │  endpointPrivateAccess=true
│ │ │ │        Is it the case that the control plane endpoint is secure?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-secret_encryption_question:question:1">
│ │ │ │ +      <ocil:question_text>Audit:
│ │ │ │ +
│ │ │ │ +For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ +'encryptionConfig' configuration when you run:
│ │ │ │ +aws eks describe-cluster --name="cluster-name"
│ │ │ │ +
│ │ │ │ +Remediation:
│ │ │ │ +
│ │ │ │ +Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ +described in the links within the 'References' section.
│ │ │ │ +
│ │ │ │ +References:
│ │ │ │ +
│ │ │ │ +  https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ +  https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +
│ │ │ │ +      Is it the case that kubernetes secrets are encrypted in etcd?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
│ │ │ │ +      <ocil:question_text>To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following permissions:
│ │ │ │ +-rw-r--r--
│ │ │ │ +      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-configure_network_policies_namespaces_question:question:1">
│ │ │ │ +      <ocil:question_text>Verify that the every non-control plane namespace has an appropriate
│ │ │ │ +NetworkPolicy.
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces, you can do the
│ │ │ │ +following command $ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ +following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ +
│ │ │ │ +Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ +
│ │ │ │ +Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ +      Is it the case that Namespaced Network Policies needs review?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-audit_logging_question:question:1">
│ │ │ │ +      <ocil:question_text>Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via the Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Ensure all 5 choices are set to Enabled
│ │ │ │ +Via CLI
│ │ │ │ +aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}"  --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ +
│ │ │ │ +Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via The Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Select Manage Logging from the button on the right hand side
│ │ │ │ +5. Toggle each selection to the Enabled position.
│ │ │ │ +6. Click Save Changes
│ │ │ │ +      Is it the case that audit logging is enable?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
│ │ │ │ +      <ocil:question_text>Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return true.
│ │ │ │ +      Is it the case that the kubelet can modify kernel parameters?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │    </ocil:questions>
│ │ │ │  </ocil:ocil>
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -5207,377 +5207,475 @@
│ │ │ │        <ocil:generator>
│ │ │ │          <ocil:product_name>build_shorthand.py from SCAP Security Guide</ocil:product_name>
│ │ │ │          <ocil:product_version>ssg: 0.1.76</ocil:product_version>
│ │ │ │          <ocil:schema_version>2.0</ocil:schema_version>
│ │ │ │          <ocil:timestamp>2025-03-01T08:08:00</ocil:timestamp>
│ │ │ │        </ocil:generator>
│ │ │ │        <ocil:questionnaires>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_resizing_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable JavaScript's Moving Or Resizing Windows Capability</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-content_blocker_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Ensure the Content Blocker uBlock Origin is Installed</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-content_blocker_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-installed_firefox_version_supported_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Supported Version of Firefox Installed</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-search_update_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Installed Search Plugins Update Checking</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-installed_firefox_version_supported_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-search_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_studies_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Firefox Studies</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-pop-up_windows_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Firefox Pop-up Blocker</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_studies_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_changes_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable JavaScript's Raise Or Lower Windows Capability</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-autoplay_video_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Firefox autoplay must be disabled.</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-autoplay_video_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Shared System Certificates</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-private_browsing_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Firefox private browsing must be disabled.</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-private_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-autoplay_video_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Firefox autoplay must be disabled.</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_preferences-auto-download_actions_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable auto-download for proscribed MIME types.</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-autoplay_video_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +          </ocil:actions>
│ │ │ │ +        </ocil:questionnaire>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-development_tools_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Firefox Development Tools</ocil:title>
│ │ │ │ +          <ocil:actions>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-development_tools_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-firefox_policy-verification_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Enable Certificate Verification</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-firefox_policy-verification_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-content_blocker_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Ensure the Content Blocker uBlock Origin is Installed</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-search_suggestion_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Firefox search suggestions must be disabled.</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-content_blocker_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-search_suggestion_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-fingerprinting_protection_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enabled Firefox Fingerprinting Protection</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-installed_firefox_version_supported_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Supported Version of Firefox Installed</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-installed_firefox_version_supported_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-enhanced_tracking_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enabled Firefox Enhanced Tracking Protection</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_studies_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Firefox Studies</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_studies_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_recommendation_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disabled Firefox Extension Recommendations</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-cryptomining_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enabled Firefox Cryptomining protection</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-cryptomining_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_pocket_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Firefox Pocket</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enable Shared System Certificates</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_pocket_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_update_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Firefox must be configured to not automatically update installed add-ons and plugins.</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_changes_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable JavaScript's Raise Or Lower Windows Capability</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-forget_button_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Firefox must prevent the user from quickly deleting data.</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Firefox deprecated ciphers</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-forget_button_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-pop-up_windows_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enable Firefox Pop-up Blocker</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-telemetry_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Firefox Telemetry</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-telemetry_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Firefox deprecated ciphers</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_pocket_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable Firefox Pocket</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_pocket_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-private_browsing_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Firefox private browsing must be disabled.</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-fingerprinting_protection_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enabled Firefox Fingerprinting Protection</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-private_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-development_tools_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Firefox Development Tools</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-forget_button_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Firefox must prevent the user from quickly deleting data.</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-development_tools_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-forget_button_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │          <ocil:questionnaire id="ocil:ssg-firefox_policy-network_prediction_ocil:questionnaire:1">
│ │ │ │            <ocil:title>Disable Firefox network prediction</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │              <ocil:test_action_ref>ocil:ssg-firefox_policy-network_prediction_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>The DoD Root Certificate Exists</ocil:title>
│ │ │ │ -          <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -          </ocil:actions>
│ │ │ │ -        </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-telemetry_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Firefox Telemetry</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_resizing_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disable JavaScript's Moving Or Resizing Windows Capability</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-telemetry_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-search_suggestion_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Firefox search suggestions must be disabled.</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_recommendation_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Disabled Firefox Extension Recommendations</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-search_suggestion_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-cryptomining_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Enabled Firefox Cryptomining protection</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_update_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Firefox must be configured to not automatically update installed add-ons and plugins.</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-cryptomining_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_preferences-auto-download_actions_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable auto-download for proscribed MIME types.</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>The DoD Root Certificate Exists</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │ -        <ocil:questionnaire id="ocil:ssg-firefox_policy-search_update_ocil:questionnaire:1">
│ │ │ │ -          <ocil:title>Disable Installed Search Plugins Update Checking</ocil:title>
│ │ │ │ +        <ocil:questionnaire id="ocil:ssg-firefox_policy-enhanced_tracking_ocil:questionnaire:1">
│ │ │ │ +          <ocil:title>Enabled Firefox Enhanced Tracking Protection</ocil:title>
│ │ │ │            <ocil:actions>
│ │ │ │ -            <ocil:test_action_ref>ocil:ssg-firefox_policy-search_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +            <ocil:test_action_ref>ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1</ocil:test_action_ref>
│ │ │ │            </ocil:actions>
│ │ │ │          </ocil:questionnaire>
│ │ │ │        </ocil:questionnaires>
│ │ │ │        <ocil:test_actions>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-content_blocker_action:testaction:1" question_ref="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-installed_firefox_version_supported_action:testaction:1" question_ref="ocil:ssg-installed_firefox_version_supported_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_studies_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_studies_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1" question_ref="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-autoplay_video_action:testaction:1" question_ref="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-private_browsing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-autoplay_video_action:testaction:1" question_ref="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-verification_action:testaction:1" question_ref="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-development_tools_action:testaction:1" question_ref="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-content_blocker_action:testaction:1" question_ref="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-verification_action:testaction:1" question_ref="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1" question_ref="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_suggestion_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1" question_ref="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-installed_firefox_version_supported_action:testaction:1" question_ref="ocil:ssg-installed_firefox_version_supported_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_studies_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_studies_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_pocket_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_pocket_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-cryptomining_action:testaction:1" question_ref="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-forget_button_action:testaction:1" question_ref="ocil:ssg-firefox_policy-forget_button_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1" question_ref="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-telemetry_action:testaction:1" question_ref="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-private_browsing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_pocket_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_pocket_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-development_tools_action:testaction:1" question_ref="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1" question_ref="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-network_prediction_action:testaction:1" question_ref="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-forget_button_action:testaction:1" question_ref="ocil:ssg-firefox_policy-forget_button_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-network_prediction_action:testaction:1" question_ref="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-telemetry_action:testaction:1" question_ref="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_suggestion_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-cryptomining_action:testaction:1" question_ref="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │ -        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │ +        <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1" question_ref="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │            <ocil:when_true>
│ │ │ │              <ocil:result>PASS</ocil:result>
│ │ │ │            </ocil:when_true>
│ │ │ │            <ocil:when_false>
│ │ │ │              <ocil:result>FAIL</ocil:result>
│ │ │ │            </ocil:when_false>
│ │ │ │          </ocil:boolean_question_test_action>
│ │ │ │        </ocil:test_actions>
│ │ │ │        <ocil:questions>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under ExtensionSettings:
│ │ │ │ +"uBlock0@raymondhill.net": {
│ │ │ │ +"    "installation_mode":"normal_installed",
│ │ │ │ +"    "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ +"    "updates_disabled":false}
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that checks for installed search plugin updates are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under browser.search.update:
│ │ │ │ +Value: false
│ │ │ │ +Status: "locked"
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that pop-up blocker is enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ +The output should include:
│ │ │ │ +"Default": true
│ │ │ │ +"Locked": true
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under Permissions -&gt; Autoplay:
│ │ │ │ +"Default": "block-audio-video"
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that private browsing is disabled
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ +"DisablePrivateBrowsing": true
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that any proscribed file types are configured for automatic download,
│ │ │ │ +type "about:preferences" into the search bar,  then
│ │ │ │ +type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ +If any of the following file extensions are listed and the Action item associated with it 
│ │ │ │ +is an application that does or can execute the code, this is a finding.
│ │ │ │ +If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ +
│ │ │ │ +  HTA
│ │ │ │ +  JSE
│ │ │ │ +  JS
│ │ │ │ +  MOCHA
│ │ │ │ +  SHS
│ │ │ │ +  VBE
│ │ │ │ +  VBS
│ │ │ │ +  SCT
│ │ │ │ +  WSC
│ │ │ │ +  FDF
│ │ │ │ +  XFDF
│ │ │ │ +  LSL
│ │ │ │ +  LSO
│ │ │ │ +  LSS
│ │ │ │ +  IQY
│ │ │ │ +  RQY
│ │ │ │ +  DOS
│ │ │ │ +  BAT
│ │ │ │ +  PS
│ │ │ │ +  EPS
│ │ │ │ +  WCH
│ │ │ │ +  WCM
│ │ │ │ +  WB1
│ │ │ │ +  WB3
│ │ │ │ +  WCH
│ │ │ │ +  WCM
│ │ │ │ +  AD
│ │ │ │ +
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that Firefox Development Tools are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableDeveloperTools": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ +    about:policies
│ │ │ │ +The output should have the following under security.default_personal_cert:
│ │ │ │ +Value: "Ask Every Time"
│ │ │ │ +Status: "locked"
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"SearchSuggestEnabled": false
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +        </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-installed_firefox_version_supported_question:question:1">
│ │ │ │            <ocil:question_text>If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │  a yum server which provides updates, invoking the following command will
│ │ │ │  indicate if updates are available:
│ │ │ │  $ sudo yum check-update
│ │ │ │  If the system is not configured to update from one of these sources,
│ │ │ │  run the following command to list when each package was last updated:
│ │ │ │ @@ -5592,229 +5690,131 @@
│ │ │ │            <ocil:question_text>To verify that Studies is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │  "DisableFirefoxStudies": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that cryptomining protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_flip:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Cryptomining": true
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1">
│ │ │ │            <ocil:question_text>To verify that the central system cerificate authority store is enabled,
│ │ │ │  run the following command:
│ │ │ │  $ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │  The output should return something similar to:
│ │ │ │  lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -&gt; /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │        Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under Permissions -&gt; Autoplay:
│ │ │ │ -"Default": "block-audio-video"
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ -    about:policies
│ │ │ │ -The output should have the following under security.default_personal_cert:
│ │ │ │ -Value: "Ask Every Time"
│ │ │ │ -Status: "locked"
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under ExtensionSettings:
│ │ │ │ -"uBlock0@raymondhill.net": {
│ │ │ │ -"    "installation_mode":"normal_installed",
│ │ │ │ -"    "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ -"    "updates_disabled":false}
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that fingerprinting protection is enabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Fingerprinting": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ +The output should have the following uder dom.disable_window_flip:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that deprecated ciphers are disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under Preferences -&gt; browser.contentblocking.category:
│ │ │ │ -"Value": "strict"
│ │ │ │ -"Status": "locked"
│ │ │ │ +The output should have the following under DisabledCiphers:
│ │ │ │ +"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that Firefox telemetry is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under Preferences -&gt; extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ -"Value": false
│ │ │ │ -"Status": "locked"
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableTelemetry": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-firefox_policy-disable_pocket_question:question:1">
│ │ │ │            <ocil:question_text>To verify that Pocket is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │  "DisablePocket": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that certificate verification is enabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that fingerprinting protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"ExtensionUpdate": false
│ │ │ │ -Status: "locked"
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Fingerprinting": true
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-firefox_policy-forget_button_question:question:1">
│ │ │ │            <ocil:question_text>To verify that users cannot access the forget button,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │  "DisableForgetButon": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that pop-up blocker is enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ -The output should include:
│ │ │ │ -"Default": true
│ │ │ │ -"Locked": true
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that deprecated ciphers are disabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that network prediction is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under DisabledCiphers:
│ │ │ │ -"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ +The output should have the following:
│ │ │ │ +"NetworkPrediction": false
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that private browsing is disabled
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"DisablePrivateBrowsing": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that Firefox Development Tools are disabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableDeveloperTools": true,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +The output should have the following under Preferences -&gt; extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ +"Value": false
│ │ │ │ +"Status": "locked"
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that network prediction is disabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that certificate verification is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │ -"NetworkPrediction": false
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +"ExtensionUpdate": false
│ │ │ │ +Status: "locked"
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │          <ocil:boolean_question id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">
│ │ │ │            <ocil:question_text>To verify that the DoD root certificate is installed,
│ │ │ │  list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │  and compare them to the DoD root certificate. If there is a match
│ │ │ │  to the DoD root certificate, then the DoD root certificate is
│ │ │ │  installed.
│ │ │ │        Is it the case that it is not installed?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that Firefox telemetry is disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableTelemetry": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"SearchSuggestEnabled": false
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that cryptomining protection is enabled,
│ │ │ │ +        <ocil:boolean_question id="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │ +          <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Cryptomining": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that any proscribed file types are configured for automatic download,
│ │ │ │ -type "about:preferences" into the search bar,  then
│ │ │ │ -type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ -If any of the following file extensions are listed and the Action item associated with it 
│ │ │ │ -is an application that does or can execute the code, this is a finding.
│ │ │ │ -If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ -
│ │ │ │ -  HTA
│ │ │ │ -  JSE
│ │ │ │ -  JS
│ │ │ │ -  MOCHA
│ │ │ │ -  SHS
│ │ │ │ -  VBE
│ │ │ │ -  VBS
│ │ │ │ -  SCT
│ │ │ │ -  WSC
│ │ │ │ -  FDF
│ │ │ │ -  XFDF
│ │ │ │ -  LSL
│ │ │ │ -  LSO
│ │ │ │ -  LSS
│ │ │ │ -  IQY
│ │ │ │ -  RQY
│ │ │ │ -  DOS
│ │ │ │ -  BAT
│ │ │ │ -  PS
│ │ │ │ -  EPS
│ │ │ │ -  WCH
│ │ │ │ -  WCM
│ │ │ │ -  WB1
│ │ │ │ -  WB3
│ │ │ │ -  WCH
│ │ │ │ -  WCM
│ │ │ │ -  AD
│ │ │ │ -
│ │ │ │ +The output should have the following under Preferences -&gt; browser.contentblocking.category:
│ │ │ │ +"Value": "strict"
│ │ │ │ +"Status": "locked"
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │          </ocil:boolean_question>
│ │ │ │ -        <ocil:boolean_question id="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │ -          <ocil:question_text>To verify that checks for installed search plugin updates are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under browser.search.update:
│ │ │ │ -Value: false
│ │ │ │ -Status: "locked"
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -        </ocil:boolean_question>
│ │ │ │        </ocil:questions>
│ │ │ │      </ocil:ocil>
│ │ │ │    </ds:component>
│ │ │ │    <ds:component id="scap_org.open-scap_comp_ssg-firefox-cpe-oval.xml" timestamp="2025-03-01T08:08:00">
│ │ │ │      <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd  http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
│ │ │ │        <oval-def:generator>
│ │ │ │          <oval:product_name>build_cpe.py from SCAP Security Guide</oval:product_name>
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,377 +3,475 @@
│ │ │ │    <ocil:generator>
│ │ │ │      <ocil:product_name>build_shorthand.py from SCAP Security Guide</ocil:product_name>
│ │ │ │      <ocil:product_version>ssg: 0.1.76</ocil:product_version>
│ │ │ │      <ocil:schema_version>2.0</ocil:schema_version>
│ │ │ │      <ocil:timestamp>2025-03-01T08:08:00</ocil:timestamp>
│ │ │ │    </ocil:generator>
│ │ │ │    <ocil:questionnaires>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_resizing_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable JavaScript's Moving Or Resizing Windows Capability</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-content_blocker_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Ensure the Content Blocker uBlock Origin is Installed</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-content_blocker_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-installed_firefox_version_supported_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Supported Version of Firefox Installed</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-search_update_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Installed Search Plugins Update Checking</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-installed_firefox_version_supported_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-search_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_studies_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Firefox Studies</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-pop-up_windows_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Firefox Pop-up Blocker</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_studies_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_changes_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable JavaScript's Raise Or Lower Windows Capability</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-autoplay_video_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Firefox autoplay must be disabled.</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-autoplay_video_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Shared System Certificates</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-private_browsing_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Firefox private browsing must be disabled.</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-private_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-autoplay_video_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Firefox autoplay must be disabled.</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_preferences-auto-download_actions_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable auto-download for proscribed MIME types.</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-autoplay_video_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +      </ocil:actions>
│ │ │ │ +    </ocil:questionnaire>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-development_tools_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Firefox Development Tools</ocil:title>
│ │ │ │ +      <ocil:actions>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-development_tools_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-firefox_policy-verification_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Enable Certificate Verification</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-firefox_policy-verification_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-content_blocker_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Ensure the Content Blocker uBlock Origin is Installed</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-search_suggestion_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Firefox search suggestions must be disabled.</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-content_blocker_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-search_suggestion_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-fingerprinting_protection_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enabled Firefox Fingerprinting Protection</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-installed_firefox_version_supported_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Supported Version of Firefox Installed</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-installed_firefox_version_supported_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-enhanced_tracking_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enabled Firefox Enhanced Tracking Protection</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_studies_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Firefox Studies</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_studies_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_recommendation_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disabled Firefox Extension Recommendations</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-cryptomining_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enabled Firefox Cryptomining protection</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-cryptomining_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_pocket_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Firefox Pocket</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enable Shared System Certificates</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_pocket_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_update_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Firefox must be configured to not automatically update installed add-ons and plugins.</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_changes_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable JavaScript's Raise Or Lower Windows Capability</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-forget_button_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Firefox must prevent the user from quickly deleting data.</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Firefox deprecated ciphers</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-forget_button_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-pop-up_windows_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enable Firefox Pop-up Blocker</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-telemetry_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Firefox Telemetry</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-telemetry_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Firefox deprecated ciphers</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-disable_pocket_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable Firefox Pocket</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-disable_pocket_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-private_browsing_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Firefox private browsing must be disabled.</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-fingerprinting_protection_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enabled Firefox Fingerprinting Protection</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-private_browsing_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-development_tools_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Firefox Development Tools</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-forget_button_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Firefox must prevent the user from quickly deleting data.</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-development_tools_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-forget_button_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │      <ocil:questionnaire id="ocil:ssg-firefox_policy-network_prediction_ocil:questionnaire:1">
│ │ │ │        <ocil:title>Disable Firefox network prediction</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │          <ocil:test_action_ref>ocil:ssg-firefox_policy-network_prediction_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>The DoD Root Certificate Exists</ocil:title>
│ │ │ │ -      <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ocil:test_action_ref>
│ │ │ │ -      </ocil:actions>
│ │ │ │ -    </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-telemetry_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Firefox Telemetry</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-javascript_window_resizing_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disable JavaScript's Moving Or Resizing Windows Capability</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-telemetry_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-search_suggestion_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Firefox search suggestions must be disabled.</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_recommendation_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Disabled Firefox Extension Recommendations</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-search_suggestion_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-cryptomining_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Enabled Firefox Cryptomining protection</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-extension_update_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Firefox must be configured to not automatically update installed add-ons and plugins.</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-cryptomining_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-extension_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_preferences-auto-download_actions_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable auto-download for proscribed MIME types.</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>The DoD Root Certificate Exists</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │ -    <ocil:questionnaire id="ocil:ssg-firefox_policy-search_update_ocil:questionnaire:1">
│ │ │ │ -      <ocil:title>Disable Installed Search Plugins Update Checking</ocil:title>
│ │ │ │ +    <ocil:questionnaire id="ocil:ssg-firefox_policy-enhanced_tracking_ocil:questionnaire:1">
│ │ │ │ +      <ocil:title>Enabled Firefox Enhanced Tracking Protection</ocil:title>
│ │ │ │        <ocil:actions>
│ │ │ │ -        <ocil:test_action_ref>ocil:ssg-firefox_policy-search_update_action:testaction:1</ocil:test_action_ref>
│ │ │ │ +        <ocil:test_action_ref>ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1</ocil:test_action_ref>
│ │ │ │        </ocil:actions>
│ │ │ │      </ocil:questionnaire>
│ │ │ │    </ocil:questionnaires>
│ │ │ │    <ocil:test_actions>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-content_blocker_action:testaction:1" question_ref="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-installed_firefox_version_supported_action:testaction:1" question_ref="ocil:ssg-installed_firefox_version_supported_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_studies_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_studies_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1" question_ref="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-autoplay_video_action:testaction:1" question_ref="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-private_browsing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-autoplay_video_action:testaction:1" question_ref="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-verification_action:testaction:1" question_ref="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-development_tools_action:testaction:1" question_ref="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-content_blocker_action:testaction:1" question_ref="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-verification_action:testaction:1" question_ref="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1" question_ref="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_suggestion_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1" question_ref="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-installed_firefox_version_supported_action:testaction:1" question_ref="ocil:ssg-installed_firefox_version_supported_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_studies_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_studies_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_pocket_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_pocket_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-cryptomining_action:testaction:1" question_ref="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-forget_button_action:testaction:1" question_ref="ocil:ssg-firefox_policy-forget_button_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1" question_ref="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-telemetry_action:testaction:1" question_ref="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-private_browsing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-disable_pocket_action:testaction:1" question_ref="ocil:ssg-firefox_policy-disable_pocket_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-development_tools_action:testaction:1" question_ref="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1" question_ref="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-network_prediction_action:testaction:1" question_ref="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-forget_button_action:testaction:1" question_ref="ocil:ssg-firefox_policy-forget_button_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-network_prediction_action:testaction:1" question_ref="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-telemetry_action:testaction:1" question_ref="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1" question_ref="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_suggestion_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-cryptomining_action:testaction:1" question_ref="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-extension_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1" question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │ -    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-search_update_action:testaction:1" question_ref="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │ +    <ocil:boolean_question_test_action id="ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1" question_ref="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │        <ocil:when_true>
│ │ │ │          <ocil:result>PASS</ocil:result>
│ │ │ │        </ocil:when_true>
│ │ │ │        <ocil:when_false>
│ │ │ │          <ocil:result>FAIL</ocil:result>
│ │ │ │        </ocil:when_false>
│ │ │ │      </ocil:boolean_question_test_action>
│ │ │ │    </ocil:test_actions>
│ │ │ │    <ocil:questions>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under ExtensionSettings:
│ │ │ │ +"uBlock0@raymondhill.net": {
│ │ │ │ +"    "installation_mode":"normal_installed",
│ │ │ │ +"    "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ +"    "updates_disabled":false}
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that checks for installed search plugin updates are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under browser.search.update:
│ │ │ │ +Value: false
│ │ │ │ +Status: "locked"
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that pop-up blocker is enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ +The output should include:
│ │ │ │ +"Default": true
│ │ │ │ +"Locked": true
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under Permissions -&gt; Autoplay:
│ │ │ │ +"Default": "block-audio-video"
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that private browsing is disabled
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ +"DisablePrivateBrowsing": true
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that any proscribed file types are configured for automatic download,
│ │ │ │ +type "about:preferences" into the search bar,  then
│ │ │ │ +type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ +If any of the following file extensions are listed and the Action item associated with it 
│ │ │ │ +is an application that does or can execute the code, this is a finding.
│ │ │ │ +If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ +
│ │ │ │ +  HTA
│ │ │ │ +  JSE
│ │ │ │ +  JS
│ │ │ │ +  MOCHA
│ │ │ │ +  SHS
│ │ │ │ +  VBE
│ │ │ │ +  VBS
│ │ │ │ +  SCT
│ │ │ │ +  WSC
│ │ │ │ +  FDF
│ │ │ │ +  XFDF
│ │ │ │ +  LSL
│ │ │ │ +  LSO
│ │ │ │ +  LSS
│ │ │ │ +  IQY
│ │ │ │ +  RQY
│ │ │ │ +  DOS
│ │ │ │ +  BAT
│ │ │ │ +  PS
│ │ │ │ +  EPS
│ │ │ │ +  WCH
│ │ │ │ +  WCM
│ │ │ │ +  WB1
│ │ │ │ +  WB3
│ │ │ │ +  WCH
│ │ │ │ +  WCM
│ │ │ │ +  AD
│ │ │ │ +
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that Firefox Development Tools are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableDeveloperTools": true,
│ │ │ │        Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ +    about:policies
│ │ │ │ +The output should have the following under security.default_personal_cert:
│ │ │ │ +Value: "Ask Every Time"
│ │ │ │ +Status: "locked"
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"SearchSuggestEnabled": false
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │ +    </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-installed_firefox_version_supported_question:question:1">
│ │ │ │        <ocil:question_text>If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │  a yum server which provides updates, invoking the following command will
│ │ │ │  indicate if updates are available:
│ │ │ │  $ sudo yum check-update
│ │ │ │  If the system is not configured to update from one of these sources,
│ │ │ │  run the following command to list when each package was last updated:
│ │ │ │ @@ -388,224 +486,126 @@
│ │ │ │        <ocil:question_text>To verify that Studies is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │  "DisableFirefoxStudies": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that cryptomining protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_flip:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Cryptomining": true
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1">
│ │ │ │        <ocil:question_text>To verify that the central system cerificate authority store is enabled,
│ │ │ │  run the following command:
│ │ │ │  $ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │  The output should return something similar to:
│ │ │ │  lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -&gt; /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │        Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-autoplay_video_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under Permissions -&gt; Autoplay:
│ │ │ │ -"Default": "block-audio-video"
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-verification_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ -    about:policies
│ │ │ │ -The output should have the following under security.default_personal_cert:
│ │ │ │ -Value: "Ask Every Time"
│ │ │ │ -Status: "locked"
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-content_blocker_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under ExtensionSettings:
│ │ │ │ -"uBlock0@raymondhill.net": {
│ │ │ │ -"    "installation_mode":"normal_installed",
│ │ │ │ -"    "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ -"    "updates_disabled":false}
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that fingerprinting protection is enabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_changes_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Fingerprinting": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ +The output should have the following uder dom.disable_window_flip:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that deprecated ciphers are disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under Preferences -&gt; browser.contentblocking.category:
│ │ │ │ -"Value": "strict"
│ │ │ │ -"Status": "locked"
│ │ │ │ +The output should have the following under DisabledCiphers:
│ │ │ │ +"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that Firefox telemetry is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under Preferences -&gt; extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ -"Value": false
│ │ │ │ -"Status": "locked"
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableTelemetry": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-firefox_policy-disable_pocket_question:question:1">
│ │ │ │        <ocil:question_text>To verify that Pocket is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │  "DisablePocket": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that certificate verification is enabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-fingerprinting_protection_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that fingerprinting protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"ExtensionUpdate": false
│ │ │ │ -Status: "locked"
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Fingerprinting": true
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-firefox_policy-forget_button_question:question:1">
│ │ │ │        <ocil:question_text>To verify that users cannot access the forget button,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │  "DisableForgetButon": true
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-pop-up_windows_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that pop-up blocker is enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ -The output should include:
│ │ │ │ -"Default": true
│ │ │ │ -"Locked": true
│ │ │ │ -      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-disable_deprecated_ciphers_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that deprecated ciphers are disabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that network prediction is disabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under DisabledCiphers:
│ │ │ │ -"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ +The output should have the following:
│ │ │ │ +"NetworkPrediction": false
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-private_browsing_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that private browsing is disabled
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-javascript_window_resizing_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that JavaScript cannot change windows sizing,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"DisablePrivateBrowsing": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ +      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-development_tools_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that Firefox Development Tools are disabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_recommendation_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableDeveloperTools": true,
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +The output should have the following under Preferences -&gt; extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ +"Value": false
│ │ │ │ +"Status": "locked"
│ │ │ │ +      Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-network_prediction_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that network prediction is disabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-extension_update_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that certificate verification is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │  The output should have the following:
│ │ │ │ -"NetworkPrediction": false
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ +"ExtensionUpdate": false
│ │ │ │ +Status: "locked"
│ │ │ │ +      Is it the case that it is not enabled?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │      <ocil:boolean_question id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">
│ │ │ │        <ocil:question_text>To verify that the DoD root certificate is installed,
│ │ │ │  list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │  and compare them to the DoD root certificate. If there is a match
│ │ │ │  to the DoD root certificate, then the DoD root certificate is
│ │ │ │  installed.
│ │ │ │        Is it the case that it is not installed?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-telemetry_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that Firefox telemetry is disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableTelemetry": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-search_suggestion_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that search suggestions are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"SearchSuggestEnabled": false
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-cryptomining_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that cryptomining protection is enabled,
│ │ │ │ +    <ocil:boolean_question id="ocil:ssg-firefox_policy-enhanced_tracking_question:question:1">
│ │ │ │ +      <ocil:question_text>To verify that enhanced tracking protection is enabled,
│ │ │ │  type the following into the browser address bar:
│ │ │ │  about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Cryptomining": true
│ │ │ │ -      Is it the case that ?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_preferences-auto-download_actions_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that any proscribed file types are configured for automatic download,
│ │ │ │ -type "about:preferences" into the search bar,  then
│ │ │ │ -type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ -If any of the following file extensions are listed and the Action item associated with it 
│ │ │ │ -is an application that does or can execute the code, this is a finding.
│ │ │ │ -If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ -
│ │ │ │ -  HTA
│ │ │ │ -  JSE
│ │ │ │ -  JS
│ │ │ │ -  MOCHA
│ │ │ │ -  SHS
│ │ │ │ -  VBE
│ │ │ │ -  VBS
│ │ │ │ -  SCT
│ │ │ │ -  WSC
│ │ │ │ -  FDF
│ │ │ │ -  XFDF
│ │ │ │ -  LSL
│ │ │ │ -  LSO
│ │ │ │ -  LSS
│ │ │ │ -  IQY
│ │ │ │ -  RQY
│ │ │ │ -  DOS
│ │ │ │ -  BAT
│ │ │ │ -  PS
│ │ │ │ -  EPS
│ │ │ │ -  WCH
│ │ │ │ -  WCM
│ │ │ │ -  WB1
│ │ │ │ -  WB3
│ │ │ │ -  WCH
│ │ │ │ -  WCM
│ │ │ │ -  AD
│ │ │ │ -
│ │ │ │ +The output should have the following under Preferences -&gt; browser.contentblocking.category:
│ │ │ │ +"Value": "strict"
│ │ │ │ +"Status": "locked"
│ │ │ │        Is it the case that ?</ocil:question_text>
│ │ │ │      </ocil:boolean_question>
│ │ │ │ -    <ocil:boolean_question id="ocil:ssg-firefox_policy-search_update_question:question:1">
│ │ │ │ -      <ocil:question_text>To verify that checks for installed search plugin updates are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under browser.search.update:
│ │ │ │ -Value: false
│ │ │ │ -Status: "locked"
│ │ │ │ -      Is it the case that it is not disabled?</ocil:question_text>
│ │ │ │ -    </ocil:boolean_question>
│ │ │ │    </ocil:questions>
│ │ │ │  </ocil:ocil>