diff --git a/components/sequoia.yml b/components/sequoia.yml
new file mode 100644
index 000000000000..ac92da0021fb
--- /dev/null
+++ b/components/sequoia.yml
@@ -0,0 +1,5 @@
+name: sequoia
+packages:
+- sequoia-sq
+rules:
+- package_sequoia-sq_installed
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 43258e5de1ef..ea88b22c4b38 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -1255,6 +1255,8 @@ controls:
- ensure_gpgcheck_globally_activated
- ensure_gpgcheck_local_packages
- ensure_redhat_gpgkey_installed
+ # this is relevant for RHEL only
+ - package_sequoia-sq_installed
- ensure_oracle_gpgkey_installed
- ensure_almalinux_gpgkey_installed
diff --git a/controls/e8.yml b/controls/e8.yml
index eecf857ad43d..c2613a4b1d48 100644
--- a/controls/e8.yml
+++ b/controls/e8.yml
@@ -25,6 +25,8 @@ controls:
- package_squid_removed
- service_squid_disabled
- ensure_redhat_gpgkey_installed
+ # the rule ensure_redhat_gpgkey_installed needs a special package on RHEL 10 which is not installed by default
+ - package_sequoia-sq_installed
- ensure_gpgcheck_never_disabled
- ensure_gpgcheck_local_packages
- ensure_gpgcheck_globally_activated
diff --git a/controls/hipaa.yml b/controls/hipaa.yml
index 0f547074047b..ccc5b6244edb 100644
--- a/controls/hipaa.yml
+++ b/controls/hipaa.yml
@@ -171,6 +171,8 @@ controls:
- ensure_gpgcheck_never_disabled
- ensure_gpgcheck_repo_metadata
- ensure_redhat_gpgkey_installed
+ # This is needed for RHEL 10
+ - package_sequoia-sq_installed
- ensure_suse_gpgkey_installed
- ensure_almalinux_gpgkey_installed
status: automated
diff --git a/controls/ism_o.yml b/controls/ism_o.yml
index 2d72bf2d5eb7..28b1cde5d233 100644
--- a/controls/ism_o.yml
+++ b/controls/ism_o.yml
@@ -604,6 +604,7 @@ controls:
- ensure_gpgcheck_local_packages
- ensure_gpgcheck_never_disabled
- ensure_redhat_gpgkey_installed
+ - package_sequoia-sq_installed
- ensure_oracle_gpgkey_installed
- dnf-automatic_security_updates_only
status: automated
diff --git a/controls/ospp.yml b/controls/ospp.yml
index d3f59d9a21d1..080ea993a982 100644
--- a/controls/ospp.yml
+++ b/controls/ospp.yml
@@ -448,6 +448,8 @@ controls:
- ensure_gpgcheck_local_packages
- ensure_gpgcheck_never_disabled
- ensure_redhat_gpgkey_installed
+ # This package is needed for RHEL 10
+ - package_sequoia-sq_installed
status: automated
- id: FPT_TUD_EXT.2
@@ -462,6 +464,8 @@ controls:
- ensure_gpgcheck_local_packages
- ensure_gpgcheck_never_disabled
- ensure_redhat_gpgkey_installed
+ # This package is needed for RHEL 10
+ - package_sequoia-sq_installed
status: automated
- id: FPT_TST_EXT.1
diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
index 087341f71dbc..8db6d14144e7 100644
--- a/controls/pcidss_4.yml
+++ b/controls/pcidss_4.yml
@@ -1556,6 +1556,8 @@ controls:
status: automated
rules:
- ensure_redhat_gpgkey_installed
+ # This package is needed for RHEL 10
+ - package_sequoia-sq_installed
- ensure_suse_gpgkey_installed
- ensure_almalinux_gpgkey_installed
- ensure_gpgcheck_globally_activated
diff --git a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml
index fe4a72981f85..db8d003c06fc 100644
--- a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml
+++ b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml
@@ -17,6 +17,7 @@ controls:
{{% endif %}}
{{% if 'rhel' in product %}}
- ensure_redhat_gpgkey_installed
+ - package_sequoia-sq_installed
{{% endif %}}
{{% if 'ol' in families %}}
- ensure_oracle_gpgkey_installed
diff --git a/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml
new file mode 100644
index 000000000000..7ee63f9a25de
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Install sequoia-sq Package'
+
+description: |-
+ {{{ describe_package_install(package="sequoia-sq") }}}
+
+rationale: |-
+ The sequoia-sq package provides the sq command-line tool,
+ which is used for OpenPGP operations including verification of GPG signatures.
+ This tool is required for cryptographic verification of software packages and
+ GPG keys using modern OpenPGP implementations.
+
+severity: low
+
+identifiers:
+ cce@rhel10: CCE-86458-7
+
+references:
+ hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
+ ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+ srg: SRG-OS-000366-GPOS-00153
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="sequoia-sq") }}}'
+
+template:
+ name: package_installed
+ vars:
+ pkgname: sequoia-sq
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index 170ad0c0d909..8080f0c6ced3 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = medium
# disruption = medium
-- name: "Read permission of GPG key directory"
+- name: "{{{ rule_title }}}: Read permission of GPG key directory"
ansible.builtin.stat:
path: /etc/pki/rpm-gpg/
register: gpg_key_directory_permission
@@ -11,7 +11,22 @@
# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
-- name: Read signatures in GPG key
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+# RHEL >= 10: Use sq command from sequoia-sq package
+- name: "{{{ rule_title }}}: Read signatures in GPG key using sq"
+ ansible.builtin.command: sq inspect /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+ changed_when: false
+ failed_when: False
+ check_mode: no
+ register: gpg_fingerprints
+
+- name: "{{{ rule_title }}}: Set Fact - Installed GPG Fingerprints (sq format)"
+ ansible.builtin.set_fact:
+ gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('Fingerprint:\\s*([0-9A-Fa-f]+)', '\\1') | list }}"
+{{% else %}}
+# RHEL 8, 9 and other versions: Use gpg command
+
+- name: "{{{ rule_title }}}: Read signatures in GPG key"
# According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10
ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
changed_when: False
@@ -19,17 +34,22 @@
failed_when: False
check_mode: no
-- name: Set Fact - Installed GPG Fingerprints
+- name: "{{{ rule_title }}}: Set Fact - Installed GPG Fingerprints"
ansible.builtin.set_fact:
- gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+ gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+
+{{% endif %}}
-- name: Set Fact - Valid fingerprints
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
ansible.builtin.set_fact:
gpg_valid_fingerprints:
- "{{{ release_key_fingerprint }}}"
- "{{{ auxiliary_key_fingerprint }}}"
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+ - "{{{ pqc_key_fingerprint }}}"
+{{% endif %}}
-- name: Import RedHat GPG key
+- name: "{{{ rule_title }}}: Import RedHat GPG key"
ansible.builtin.rpm_key:
state: present
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
index 33a0101fd084..53931cd4009d 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
@@ -2,6 +2,9 @@
# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_FINGERPRINT="{{{ release_key_fingerprint }}}"
readonly REDHAT_AUXILIARY_FINGERPRINT="{{{ auxiliary_key_fingerprint }}}"
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+readonly REDHAT_PQC_FINGERPRINT="{{{ pqc_key_fingerprint }}}"
+{{% endif %}}
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
@@ -13,12 +16,20 @@ if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
# If they are safe, try to obtain fingerprints from the key file
# (to ensure there won't be e.g. CRC error).
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+ readarray -t GPG_OUT < <(sq inspect "$REDHAT_RELEASE_KEY" | grep Fingerprint: | cut -d ":" -f 2)
+{{% else %}}
readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
+{{% endif %}}
GPG_RESULT=$?
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+ echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || {
+{{% else %}}
echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+{{% endif %}}
# If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
rpm --import "${REDHAT_RELEASE_KEY}"
}
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
index 866bae8a96e7..6871feba83b3 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
@@ -10,10 +10,12 @@
-
-
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+
+{{% endif %}}
{{%- if centos_major_version %}}
@@ -57,6 +59,21 @@
{{{ aux_pkg_version }}}
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+
+
+
+
+
+
+
+ {{{ pqc_pkg_release }}}
+ {{{ pqc_pkg_version }}}
+
+{{%endif %}}
+
{{%- if centos_major_version %}}
= 10 %}}
+# packages = sequoia-sq
+{{% endif %}}
# remove all available keys
diff --git a/products/alinux2/profiles/pci-dss.profile b/products/alinux2/profiles/pci-dss.profile
index 8ceefb4e929a..ba24adfa7c66 100644
--- a/products/alinux2/profiles/pci-dss.profile
+++ b/products/alinux2/profiles/pci-dss.profile
@@ -25,6 +25,7 @@ selections:
- '!set_loopback_traffic'
- '!timer_logrotate_enabled'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
# Following rules once had a prodtype incompatible with the alinux2 product
- '!auditd_data_retention_space_left'
- '!grub2_audit_backlog_limit_argument'
diff --git a/products/alinux3/profiles/pci-dss.profile b/products/alinux3/profiles/pci-dss.profile
index a9decbd4e146..233b2a3d8725 100644
--- a/products/alinux3/profiles/pci-dss.profile
+++ b/products/alinux3/profiles/pci-dss.profile
@@ -32,6 +32,7 @@ selections:
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
# Following rules once had a prodtype incompatible with the alinux3 product
- '!auditd_data_retention_space_left'
- '!set_firewalld_default_zone'
diff --git a/products/almalinux9/profiles/anssi_bp28_enhanced.profile b/products/almalinux9/profiles/anssi_bp28_enhanced.profile
index 4112a28ceaf6..ef3cdd72f81c 100644
--- a/products/almalinux9/profiles/anssi_bp28_enhanced.profile
+++ b/products/almalinux9/profiles/anssi_bp28_enhanced.profile
@@ -46,6 +46,7 @@ selections:
- '!cracklib_accounts_password_pam_dcredit'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!package_kea_removed'
- '!file_groupowner_efi_grub2_cfg'
- '!file_owner_efi_grub2_cfg'
diff --git a/products/almalinux9/profiles/anssi_bp28_high.profile b/products/almalinux9/profiles/anssi_bp28_high.profile
index 1ae101f1b052..231285efde38 100644
--- a/products/almalinux9/profiles/anssi_bp28_high.profile
+++ b/products/almalinux9/profiles/anssi_bp28_high.profile
@@ -49,6 +49,7 @@ selections:
- '!cracklib_accounts_password_pam_dcredit'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!package_kea_removed'
- '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_dac_modification_fchmodat2'
diff --git a/products/almalinux9/profiles/anssi_bp28_intermediary.profile b/products/almalinux9/profiles/anssi_bp28_intermediary.profile
index d54771bfcdbd..6325617820fe 100644
--- a/products/almalinux9/profiles/anssi_bp28_intermediary.profile
+++ b/products/almalinux9/profiles/anssi_bp28_intermediary.profile
@@ -39,6 +39,7 @@ selections:
- '!sudo_add_env_reset'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!package_kea_removed'
- '!ldap_client_tls_cacertpath'
- '!ldap_client_start_tls'
diff --git a/products/almalinux9/profiles/anssi_bp28_minimal.profile b/products/almalinux9/profiles/anssi_bp28_minimal.profile
index e9bb292decf4..4c2462ab3fb3 100644
--- a/products/almalinux9/profiles/anssi_bp28_minimal.profile
+++ b/products/almalinux9/profiles/anssi_bp28_minimal.profile
@@ -32,4 +32,5 @@ selections:
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!package_kea_removed'
diff --git a/products/almalinux9/profiles/pci-dss.profile b/products/almalinux9/profiles/pci-dss.profile
index 6f933a6a2db8..1e73d3fe7de0 100644
--- a/products/almalinux9/profiles/pci-dss.profile
+++ b/products/almalinux9/profiles/pci-dss.profile
@@ -61,6 +61,7 @@ selections:
- '!accounts_passwords_pam_tally2'
- '!ensure_suse_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!gnome_gdm_disable_unattended_automatic_login'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!cracklib_accounts_password_pam_minlen'
diff --git a/products/anolis23/profiles/pci-dss.profile b/products/anolis23/profiles/pci-dss.profile
index fc613f33414d..6d39d68990a0 100644
--- a/products/anolis23/profiles/pci-dss.profile
+++ b/products/anolis23/profiles/pci-dss.profile
@@ -35,6 +35,7 @@ selections:
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
# Following rules once had a prodtype incompatible with the anolis23 product
- '!auditd_data_retention_space_left'
- '!set_firewalld_default_zone'
diff --git a/products/anolis8/profiles/pci-dss.profile b/products/anolis8/profiles/pci-dss.profile
index 1b93ed5b5f69..952ce85116f2 100644
--- a/products/anolis8/profiles/pci-dss.profile
+++ b/products/anolis8/profiles/pci-dss.profile
@@ -32,6 +32,7 @@ selections:
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
# Following rules once had a prodtype incompatible with the anolis8 product
- '!auditd_data_retention_space_left'
- '!set_firewalld_default_zone'
diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
index 962c69aee7d6..f2d2af60d38f 100644
--- a/products/debian12/profiles/anssi_bp28_enhanced.profile
+++ b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -44,6 +44,7 @@ selections:
# Following rules once had a prodtype incompatible with the debian12 product
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile
index 2860e48a2bff..73bd948cdd3c 100644
--- a/products/debian12/profiles/anssi_bp28_high.profile
+++ b/products/debian12/profiles/anssi_bp28_high.profile
@@ -44,6 +44,7 @@ selections:
# Following rules once had a prodtype incompatible with the debian12 product
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/debian12/profiles/anssi_bp28_intermediary.profile b/products/debian12/profiles/anssi_bp28_intermediary.profile
index f73f0a939c47..6520ecc29687 100644
--- a/products/debian12/profiles/anssi_bp28_intermediary.profile
+++ b/products/debian12/profiles/anssi_bp28_intermediary.profile
@@ -36,6 +36,7 @@ selections:
# Following rules once had a prodtype incompatible with the debian12 product
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/debian12/profiles/anssi_bp28_minimal.profile b/products/debian12/profiles/anssi_bp28_minimal.profile
index 184003c8f25b..b9c618d23c7e 100644
--- a/products/debian12/profiles/anssi_bp28_minimal.profile
+++ b/products/debian12/profiles/anssi_bp28_minimal.profile
@@ -23,6 +23,7 @@ selections:
# Following rules once had a prodtype incompatible with the debian12 product
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/debian13/profiles/anssi_bp28_enhanced.profile b/products/debian13/profiles/anssi_bp28_enhanced.profile
index 7939eb0e8da2..67fdd5cfbc33 100644
--- a/products/debian13/profiles/anssi_bp28_enhanced.profile
+++ b/products/debian13/profiles/anssi_bp28_enhanced.profile
@@ -48,6 +48,7 @@ selections:
# Following rules aren't compatible with Debian 13
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/debian13/profiles/anssi_bp28_high.profile b/products/debian13/profiles/anssi_bp28_high.profile
index 073d83e58ede..d5aae9cf346f 100644
--- a/products/debian13/profiles/anssi_bp28_high.profile
+++ b/products/debian13/profiles/anssi_bp28_high.profile
@@ -44,6 +44,7 @@ selections:
# Following rules aren't compatible with Debian 13
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/debian13/profiles/anssi_bp28_intermediary.profile b/products/debian13/profiles/anssi_bp28_intermediary.profile
index f2b343102704..b1c9bf586cbf 100644
--- a/products/debian13/profiles/anssi_bp28_intermediary.profile
+++ b/products/debian13/profiles/anssi_bp28_intermediary.profile
@@ -34,6 +34,7 @@ selections:
# Following rules aren't compatible with Debian 13
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/debian13/profiles/anssi_bp28_minimal.profile b/products/debian13/profiles/anssi_bp28_minimal.profile
index 98e8e2b95b22..1fa965edd67d 100644
--- a/products/debian13/profiles/anssi_bp28_minimal.profile
+++ b/products/debian13/profiles/anssi_bp28_minimal.profile
@@ -23,6 +23,7 @@ selections:
# Following rules aren't compatible with Debian 13
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!dnf-automatic_security_updates_only'
diff --git a/products/ol10/profiles/anssi_bp28_enhanced.profile b/products/ol10/profiles/anssi_bp28_enhanced.profile
index 3b5ec07c0e96..78b5ee701140 100644
--- a/products/ol10/profiles/anssi_bp28_enhanced.profile
+++ b/products/ol10/profiles/anssi_bp28_enhanced.profile
@@ -21,6 +21,7 @@ selections:
- '!accounts_passwords_pam_tally2_deny_root'
- '!install_PAE_kernel_on_x86-32'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!package_dracut-fips-aesni_installed'
- '!cracklib_accounts_password_pam_lcredit'
diff --git a/products/ol10/profiles/anssi_bp28_high.profile b/products/ol10/profiles/anssi_bp28_high.profile
index 53c0b77f617a..3ef5eca38845 100644
--- a/products/ol10/profiles/anssi_bp28_high.profile
+++ b/products/ol10/profiles/anssi_bp28_high.profile
@@ -22,6 +22,7 @@ selections:
- '!accounts_passwords_pam_tally2_deny_root'
- '!install_PAE_kernel_on_x86-32'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!aide_periodic_checking_systemd_timer'
- '!package_dracut-fips-aesni_installed'
diff --git a/products/ol10/profiles/anssi_bp28_intermediary.profile b/products/ol10/profiles/anssi_bp28_intermediary.profile
index 320f7d9d95d8..1666642d338f 100644
--- a/products/ol10/profiles/anssi_bp28_intermediary.profile
+++ b/products/ol10/profiles/anssi_bp28_intermediary.profile
@@ -28,6 +28,7 @@ selections:
- '!cracklib_accounts_password_pam_ocredit'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!sudo_add_umask'
- '!no_nis_in_nsswitch'
diff --git a/products/ol10/profiles/anssi_bp28_minimal.profile b/products/ol10/profiles/anssi_bp28_minimal.profile
index 71904cba1081..7b20a82cf3ba 100644
--- a/products/ol10/profiles/anssi_bp28_minimal.profile
+++ b/products/ol10/profiles/anssi_bp28_minimal.profile
@@ -28,6 +28,7 @@ selections:
- '!cracklib_accounts_password_pam_ocredit'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!security_patches_up_to_date'
- '!no_nis_in_nsswitch'
diff --git a/products/ol10/profiles/e8.profile b/products/ol10/profiles/e8.profile
index e5834345e566..92ef5b8b0541 100644
--- a/products/ol10/profiles/e8.profile
+++ b/products/ol10/profiles/e8.profile
@@ -17,6 +17,7 @@ selections:
- e8:all
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- ensure_oracle_gpgkey_installed
diff --git a/products/ol10/profiles/hipaa.profile b/products/ol10/profiles/hipaa.profile
index 688845cf9dc4..900b942a72a8 100644
--- a/products/ol10/profiles/hipaa.profile
+++ b/products/ol10/profiles/hipaa.profile
@@ -20,6 +20,7 @@ selections:
- hipaa:all
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- ensure_oracle_gpgkey_installed
# Conflicts with sshd_set_keepalive
diff --git a/products/ol10/profiles/ism_o.profile b/products/ol10/profiles/ism_o.profile
index 3735a6fa64af..346e4cc4a62e 100644
--- a/products/ol10/profiles/ism_o.profile
+++ b/products/ol10/profiles/ism_o.profile
@@ -82,6 +82,7 @@ selections:
- '!package_ypbind_removed'
- '!package_xinetd_removed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!enable_authselect'
- '!service_xinetd_disabled'
diff --git a/products/ol10/profiles/ism_o_secret.profile b/products/ol10/profiles/ism_o_secret.profile
index a4959c1ad216..d4784c6a6dc4 100644
--- a/products/ol10/profiles/ism_o_secret.profile
+++ b/products/ol10/profiles/ism_o_secret.profile
@@ -85,3 +85,4 @@ selections:
- '!package_ypbind_removed'
- '!package_xinetd_removed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
diff --git a/products/ol10/profiles/ism_o_top_secret.profile b/products/ol10/profiles/ism_o_top_secret.profile
index 9261da2a2796..b298e2dc194a 100644
--- a/products/ol10/profiles/ism_o_top_secret.profile
+++ b/products/ol10/profiles/ism_o_top_secret.profile
@@ -85,3 +85,4 @@ selections:
- '!package_ypbind_removed'
- '!package_xinetd_removed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
diff --git a/products/ol10/profiles/ospp.profile b/products/ol10/profiles/ospp.profile
index de3d5e92df95..6344b2d9d587 100644
--- a/products/ol10/profiles/ospp.profile
+++ b/products/ol10/profiles/ospp.profile
@@ -55,6 +55,7 @@ selections:
- '!audit_perm_change_success_aarch64'
- '!audit_perm_change_success_ppc64le'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- 'ensure_oracle_gpgkey_installed'
- '!zipl_audit_argument'
- '!zipl_audit_backlog_limit_argument'
diff --git a/products/ol10/profiles/pci-dss.profile b/products/ol10/profiles/pci-dss.profile
index d1724d2e1bc5..55bb210d97d1 100644
--- a/products/ol10/profiles/pci-dss.profile
+++ b/products/ol10/profiles/pci-dss.profile
@@ -69,6 +69,7 @@ selections:
# Add oracle gpg key rule
- 'ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
# OL 10 uses a different rule for auditing changes to selinux configuration
- '!audit_rules_mac_modification'
diff --git a/products/ol7/profiles/anssi_nt28_enhanced.profile b/products/ol7/profiles/anssi_nt28_enhanced.profile
index 0a715622606a..5d78d17861cb 100644
--- a/products/ol7/profiles/anssi_nt28_enhanced.profile
+++ b/products/ol7/profiles/anssi_nt28_enhanced.profile
@@ -21,6 +21,7 @@ selections:
- '!rsyslog_remote_tls'
- '!timer_logrotate_enabled'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!package_dnf-automatic_installed'
- '!audit_rules_privileged_commands_rmmod'
diff --git a/products/ol7/profiles/anssi_nt28_high.profile b/products/ol7/profiles/anssi_nt28_high.profile
index 906551d7ee0c..f336a92fefdc 100644
--- a/products/ol7/profiles/anssi_nt28_high.profile
+++ b/products/ol7/profiles/anssi_nt28_high.profile
@@ -23,6 +23,7 @@ selections:
- '!kernel_config_legacy_vsyscall_none'
- '!kernel_config_hardened_usercopy_fallback'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!aide_periodic_checking_systemd_timer'
- '!kernel_config_gcc_plugin_latent_entropy'
diff --git a/products/ol7/profiles/anssi_nt28_intermediary.profile b/products/ol7/profiles/anssi_nt28_intermediary.profile
index 2c64fc966c7c..80dd986444c1 100644
--- a/products/ol7/profiles/anssi_nt28_intermediary.profile
+++ b/products/ol7/profiles/anssi_nt28_intermediary.profile
@@ -17,6 +17,7 @@ selections:
- '!accounts_passwords_pam_tally2_deny_root'
- '!sysctl_kernel_unprivileged_bpf_disabled'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!package_dnf-automatic_installed'
- '!grub2_mds_argument'
diff --git a/products/ol7/profiles/anssi_nt28_minimal.profile b/products/ol7/profiles/anssi_nt28_minimal.profile
index 04d3e326d9be..67002f6b8105 100644
--- a/products/ol7/profiles/anssi_nt28_minimal.profile
+++ b/products/ol7/profiles/anssi_nt28_minimal.profile
@@ -27,6 +27,7 @@ selections:
- '!cracklib_accounts_password_pam_ocredit'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!enable_authselect'
- '!package_kea_removed'
diff --git a/products/ol8/profiles/anssi_bp28_enhanced.profile b/products/ol8/profiles/anssi_bp28_enhanced.profile
index 3e7265b50053..15273e74d3a0 100644
--- a/products/ol8/profiles/anssi_bp28_enhanced.profile
+++ b/products/ol8/profiles/anssi_bp28_enhanced.profile
@@ -22,6 +22,7 @@ selections:
- '!accounts_passwords_pam_tally2_deny_root'
- '!timer_logrotate_enabled'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!audit_rules_privileged_commands_rmmod'
- '!grub2_mds_argument'
diff --git a/products/ol8/profiles/anssi_bp28_high.profile b/products/ol8/profiles/anssi_bp28_high.profile
index 48257a010a3e..12d1e3d54219 100644
--- a/products/ol8/profiles/anssi_bp28_high.profile
+++ b/products/ol8/profiles/anssi_bp28_high.profile
@@ -22,6 +22,7 @@ selections:
- '!accounts_passwords_pam_tally2_deny_root'
- '!timer_logrotate_enabled'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!aide_periodic_checking_systemd_timer'
- '!audit_rules_privileged_commands_rmmod'
diff --git a/products/ol8/profiles/anssi_bp28_intermediary.profile b/products/ol8/profiles/anssi_bp28_intermediary.profile
index 59810e007824..504646cc3427 100644
--- a/products/ol8/profiles/anssi_bp28_intermediary.profile
+++ b/products/ol8/profiles/anssi_bp28_intermediary.profile
@@ -32,6 +32,7 @@ selections:
- '!grub2_page_alloc_shuffle_argument'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!package_kea_removed'
# package not available in OL8
diff --git a/products/ol8/profiles/anssi_bp28_minimal.profile b/products/ol8/profiles/anssi_bp28_minimal.profile
index 01fc247e6614..aabb78d0f2ea 100644
--- a/products/ol8/profiles/anssi_bp28_minimal.profile
+++ b/products/ol8/profiles/anssi_bp28_minimal.profile
@@ -25,6 +25,7 @@ selections:
- '!cracklib_accounts_password_pam_ocredit'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!package_kea_removed'
# package not available in OL8
diff --git a/products/ol8/profiles/e8.profile b/products/ol8/profiles/e8.profile
index c637f6b95749..81636952bb03 100644
--- a/products/ol8/profiles/e8.profile
+++ b/products/ol8/profiles/e8.profile
@@ -25,5 +25,6 @@ selections:
- '!package_talk-server_removed'
- '!ensure_redhat_gpgkey_installed'
- '!sysctl_kernel_exec_shield'
+ - '!package_sequoia-sq_installed'
- ensure_oracle_gpgkey_installed
diff --git a/products/ol8/profiles/hipaa.profile b/products/ol8/profiles/hipaa.profile
index ee3c089b5423..c0b94f9bcdbf 100644
--- a/products/ol8/profiles/hipaa.profile
+++ b/products/ol8/profiles/hipaa.profile
@@ -82,6 +82,7 @@ selections:
- '!sshd_use_directory_configuration'
- '!sshd_use_priv_separation'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!sysctl_kernel_exec_shield'
- var_sshd_set_keepalive=0
- ensure_oracle_gpgkey_installed
diff --git a/products/ol8/profiles/ism_o.profile b/products/ol8/profiles/ism_o.profile
index 7b3d807c4667..315c9c41f6ee 100644
--- a/products/ol8/profiles/ism_o.profile
+++ b/products/ol8/profiles/ism_o.profile
@@ -67,6 +67,7 @@ selections:
- '!sshd_allow_only_protocol2'
- '!sshd_use_directory_configuration'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!sysctl_kernel_exec_shield'
- '!secure_boot_enabled'
diff --git a/products/ol8/profiles/ospp.profile b/products/ol8/profiles/ospp.profile
index 4a27482d4537..3dc090fe3a4e 100644
--- a/products/ol8/profiles/ospp.profile
+++ b/products/ol8/profiles/ospp.profile
@@ -200,6 +200,7 @@ selections:
# Following rules are not applicable to OL
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!package_dnf-plugin-subscription-manager_installed'
- '!package_subscription-manager_installed'
- '!zipl_audit_argument'
diff --git a/products/ol8/profiles/pci-dss.profile b/products/ol8/profiles/pci-dss.profile
index 2551c141ed79..e2b9c0195d8f 100644
--- a/products/ol8/profiles/pci-dss.profile
+++ b/products/ol8/profiles/pci-dss.profile
@@ -54,6 +54,7 @@ selections:
- '!audit_rules_mac_modification_etc_selinux'
# Use Oracle gpgkey rule
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_suse_gpgkey_installed'
- '!ensure_almalinux_gpgkey_installed'
- 'ensure_oracle_gpgkey_installed'
diff --git a/products/ol9/profiles/anssi_bp28_enhanced.profile b/products/ol9/profiles/anssi_bp28_enhanced.profile
index 3ddb873c4713..ef3b508c83b3 100644
--- a/products/ol9/profiles/anssi_bp28_enhanced.profile
+++ b/products/ol9/profiles/anssi_bp28_enhanced.profile
@@ -23,6 +23,7 @@ selections:
- '!install_PAE_kernel_on_x86-32'
- '!partition_for_boot'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!sudo_add_ignore_dot'
- '!audit_rules_privileged_commands_rmmod'
diff --git a/products/ol9/profiles/anssi_bp28_high.profile b/products/ol9/profiles/anssi_bp28_high.profile
index bd279e7c781d..227ca7414a14 100644
--- a/products/ol9/profiles/anssi_bp28_high.profile
+++ b/products/ol9/profiles/anssi_bp28_high.profile
@@ -23,6 +23,7 @@ selections:
- '!install_PAE_kernel_on_x86-32'
- '!partition_for_boot'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!aide_periodic_checking_systemd_timer'
- '!sudo_add_ignore_dot'
diff --git a/products/ol9/profiles/anssi_bp28_intermediary.profile b/products/ol9/profiles/anssi_bp28_intermediary.profile
index 647e71b0e0aa..4dc8bf1adab4 100644
--- a/products/ol9/profiles/anssi_bp28_intermediary.profile
+++ b/products/ol9/profiles/anssi_bp28_intermediary.profile
@@ -32,6 +32,7 @@ selections:
- '!enable_pam_namespace'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!sudo_add_umask'
- '!sudo_add_ignore_dot'
diff --git a/products/ol9/profiles/anssi_bp28_minimal.profile b/products/ol9/profiles/anssi_bp28_minimal.profile
index b1a320fb92c6..f6e42b058b64 100644
--- a/products/ol9/profiles/anssi_bp28_minimal.profile
+++ b/products/ol9/profiles/anssi_bp28_minimal.profile
@@ -28,6 +28,7 @@ selections:
- '!cracklib_accounts_password_pam_ocredit'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!package_xinetd_removed'
- '!package_kea_removed'
diff --git a/products/ol9/profiles/hipaa.profile b/products/ol9/profiles/hipaa.profile
index 8ae23513e8f1..23e64e8c5d0b 100644
--- a/products/ol9/profiles/hipaa.profile
+++ b/products/ol9/profiles/hipaa.profile
@@ -53,6 +53,7 @@ selections:
- "!ensure_fedora_gpgkey_installed"
- "!ensure_gpgcheck_repo_metadata"
- "!ensure_redhat_gpgkey_installed"
+ - "!package_sequoia-sq_installed"
- "!ensure_suse_gpgkey_installed"
- "!file_groupowner_user_cfg"
- "!file_owner_user_cfg"
diff --git a/products/ol9/profiles/ism_o.profile b/products/ol9/profiles/ism_o.profile
index 98d5fa4f2e5a..54ccc9bf9e7b 100644
--- a/products/ol9/profiles/ism_o.profile
+++ b/products/ol9/profiles/ism_o.profile
@@ -74,6 +74,7 @@ selections:
- '!package_ypbind_removed'
- '!package_xinetd_removed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!audit_rules_usergroup_modification_opasswd'
- '!audit_rules_usergroup_modification_gshadow'
- '!audit_rules_usergroup_modification_passwd'
diff --git a/products/ol9/profiles/pci-dss.profile b/products/ol9/profiles/pci-dss.profile
index 1788a48df866..835e32687f46 100644
--- a/products/ol9/profiles/pci-dss.profile
+++ b/products/ol9/profiles/pci-dss.profile
@@ -51,6 +51,7 @@ selections:
- '!accounts_passwords_pam_tally2'
- '!ensure_suse_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!gnome_gdm_disable_unattended_automatic_login'
- '!accounts_passwords_pam_tally2_unlock_time'
diff --git a/products/rhcos4/profiles/anssi_bp28_enhanced.profile b/products/rhcos4/profiles/anssi_bp28_enhanced.profile
index 81715131b957..43d9d46e957b 100644
--- a/products/rhcos4/profiles/anssi_bp28_enhanced.profile
+++ b/products/rhcos4/profiles/anssi_bp28_enhanced.profile
@@ -125,3 +125,4 @@ selections:
- '!service_chronyd_enabled'
- '!ldap_client_start_tls'
- '!ldap_client_tls_cacertpath'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhcos4/profiles/anssi_bp28_high.profile b/products/rhcos4/profiles/anssi_bp28_high.profile
index 320007a80210..27afcab30009 100644
--- a/products/rhcos4/profiles/anssi_bp28_high.profile
+++ b/products/rhcos4/profiles/anssi_bp28_high.profile
@@ -161,3 +161,4 @@ selections:
- '!service_chronyd_enabled'
- '!audit_rules_mac_modification_etc_selinux'
- '!no_nis_in_nsswitch'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhcos4/profiles/anssi_bp28_intermediary.profile b/products/rhcos4/profiles/anssi_bp28_intermediary.profile
index 7186a845a87b..e55b0b4b2788 100644
--- a/products/rhcos4/profiles/anssi_bp28_intermediary.profile
+++ b/products/rhcos4/profiles/anssi_bp28_intermediary.profile
@@ -108,3 +108,4 @@ selections:
- '!ldap_client_tls_cacertpath'
- '!ldap_client_start_tls'
- '!no_nis_in_nsswitch'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhcos4/profiles/anssi_bp28_minimal.profile b/products/rhcos4/profiles/anssi_bp28_minimal.profile
index ddcce444eab4..1be6b05de97a 100644
--- a/products/rhcos4/profiles/anssi_bp28_minimal.profile
+++ b/products/rhcos4/profiles/anssi_bp28_minimal.profile
@@ -64,3 +64,4 @@ selections:
- '!ensure_gpgcheck_never_disabled'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_almalinux_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml
index 1f3f74bf18b5..248fbe97583d 100644
--- a/products/rhel10/product.yml
+++ b/products/rhel10/product.yml
@@ -32,9 +32,12 @@ pkg_release: "4ae0493b"
pkg_version: "fd431d51"
aux_pkg_release: "6229229e"
aux_pkg_version: "5a6340b3"
+pqc_pkg_release: "68e6a1f3"
+pqc_pkg_version: "05707a62"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3"
+pqc_key_fingerprint: "FCD355B305707A62DA143AB6E422397E50FE8467A2A95343D246D6276AFEDF8F"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile
index 770052b9fc01..7938607df3ce 100644
--- a/products/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/products/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -26,6 +26,7 @@ selections:
- var_password_pam_unix_rounds=65536
- '!timer_logrotate_enabled'
- '!service_chronyd_enabled'
+ - '!package_sequoia-sq_installed'
# disable R45: Enable AppArmor security profiles
- '!apparmor_configured'
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
index ce2c11f2206f..afb48d0d2280 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -25,6 +25,7 @@ selections:
- var_password_hashing_algorithm=SHA512
- var_password_pam_unix_rounds=65536
- '!service_chronyd_enabled'
+ - '!package_sequoia-sq_installed'
# the following rule renders UEFI systems unbootable
- '!sebool_secure_mode_insmod'
diff --git a/products/rhel8/profiles/anssi_bp28_intermediary.profile b/products/rhel8/profiles/anssi_bp28_intermediary.profile
index 89b0f9a0492d..fac995c470ff 100644
--- a/products/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/products/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -50,6 +50,7 @@ selections:
- '!package_kea_removed'
- '!package_rsh-server_removed'
- '!package_rsh_removed'
+ - '!package_sequoia-sq_installed'
# Rules that only for higher levels
- '!audit_rules_mac_modification_etc_selinux'
diff --git a/products/rhel8/profiles/anssi_bp28_minimal.profile b/products/rhel8/profiles/anssi_bp28_minimal.profile
index 948de0c9f14a..a1802a276f92 100644
--- a/products/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/products/rhel8/profiles/anssi_bp28_minimal.profile
@@ -38,6 +38,7 @@ selections:
- '!package_kea_removed'
- '!package_rsh-server_removed'
- '!package_rsh_removed'
+ - '!package_sequoia-sq_installed'
# Rules that only for higher levels
- '!audit_rules_mac_modification_etc_selinux'
diff --git a/products/rhel8/profiles/e8.profile b/products/rhel8/profiles/e8.profile
index a6a6ce112fde..4ea512d2ed19 100644
--- a/products/rhel8/profiles/e8.profile
+++ b/products/rhel8/profiles/e8.profile
@@ -31,3 +31,4 @@ selections:
# Following rules are not applicable to RHEL
- '!package_talk_removed'
- '!package_talk-server_removed'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhel8/profiles/hipaa.profile b/products/rhel8/profiles/hipaa.profile
index d74ed5ba06cd..fb598392a1a8 100644
--- a/products/rhel8/profiles/hipaa.profile
+++ b/products/rhel8/profiles/hipaa.profile
@@ -89,3 +89,4 @@ selections:
- '!sshd_use_approved_macs'
- '!sshd_use_directory_configuration'
- '!sshd_use_priv_separation'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhel8/profiles/ism_o.profile b/products/rhel8/profiles/ism_o.profile
index 57215ab683d6..825e5ec8ed48 100644
--- a/products/rhel8/profiles/ism_o.profile
+++ b/products/rhel8/profiles/ism_o.profile
@@ -77,6 +77,7 @@ selections:
- '!system_booted_in_fips_mode'
- '!sshd_use_directory_configuration'
- '!ensure_oracle_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
# Adjust variables to match the origianl RHEL 8 profiles
- var_password_hashing_algorithm_pam=sha512
- var_accounts_password_minlen_login_defs=15
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 794f44484268..d93a50b532a6 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -205,4 +205,5 @@ selections:
- '!audit_access_failed_aarch64'
- '!zipl_systemd_debug-shell_argument_absent'
- '!audit_modify_failed_ppc64le'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
index 3805ae082dea..85ccb3717e53 100644
--- a/products/rhel8/profiles/pci-dss.profile
+++ b/products/rhel8/profiles/pci-dss.profile
@@ -64,3 +64,4 @@ selections:
- '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_mac_modification_etc_selinux'
- '!audit_rules_dac_modification_fchmodat2'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile
index d9efbafccf8e..8c4e31fc1d21 100644
--- a/products/rhel9/profiles/anssi_bp28_enhanced.profile
+++ b/products/rhel9/profiles/anssi_bp28_enhanced.profile
@@ -54,6 +54,7 @@ selections:
- '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_dac_modification_fchmodat2'
- '!ldap_client_tls_cacertpath'
+ - '!package_sequoia-sq_installed'
# RHEL9 unified the paths for grub2 files. These rules are selected in control file by R5 and R29.
- '!file_groupowner_efi_grub2_cfg'
- '!file_owner_efi_grub2_cfg'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
index 860945e45ee5..c687c802c72b 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -56,6 +56,7 @@ selections:
- '!package_kea_removed'
- '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_dac_modification_fchmodat2'
+ - '!package_sequoia-sq_installed'
# disable R45: Enable AppArmor security profiles
- '!apparmor_configured'
- '!all_apparmor_profiles_enforced'
diff --git a/products/rhel9/profiles/anssi_bp28_intermediary.profile b/products/rhel9/profiles/anssi_bp28_intermediary.profile
index 453bb0563d20..84cb6922f1da 100644
--- a/products/rhel9/profiles/anssi_bp28_intermediary.profile
+++ b/products/rhel9/profiles/anssi_bp28_intermediary.profile
@@ -49,6 +49,7 @@ selections:
- '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
+ - '!package_sequoia-sq_installed'
# RHEL9 unified the paths for grub2 files. These rules are selected in control file by R5.
- '!grub2_uefi_password'
diff --git a/products/rhel9/profiles/anssi_bp28_minimal.profile b/products/rhel9/profiles/anssi_bp28_minimal.profile
index 986f3903afb5..32fb38633de7 100644
--- a/products/rhel9/profiles/anssi_bp28_minimal.profile
+++ b/products/rhel9/profiles/anssi_bp28_minimal.profile
@@ -42,6 +42,7 @@ selections:
- '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
+ - '!package_sequoia-sq_installed'
# Following rules are not applicable to RHEL
- '!package_talk_removed'
diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
index 26ef05a8677c..c1b5319205d4 100644
--- a/products/rhel9/profiles/e8.profile
+++ b/products/rhel9/profiles/e8.profile
@@ -26,6 +26,8 @@ selections:
- '!package_rsh_removed'
- package_rear_installed
- package_audit_installed
+ # this package is not available in RHEL 9
+ - '!package_sequoia-sq_installed'
# Following rules are not applicable to RHEL
- '!package_talk_removed'
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 9f62b2c76758..0593ad33ab58 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -91,3 +91,4 @@ selections:
- "!sshd_use_approved_ciphers"
- "!sshd_use_approved_macs"
- "!sshd_use_priv_separation"
+ - "!package_sequoia-sq_installed"
diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
index e23677734151..871c534c8c20 100644
--- a/products/rhel9/profiles/ism_o.profile
+++ b/products/rhel9/profiles/ism_o.profile
@@ -80,3 +80,5 @@ selections:
- '!package_xinetd_removed'
- '!service_xinetd_disabled'
- '!ensure_oracle_gpgkey_installed'
+ # This package is not available in RHEL 9
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index d09ce5be7bf6..3afe66d77f9a 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -25,3 +25,4 @@ selections:
- enable_authselect
- var_authselect_profile=minimal
- '!package_dnf-plugin-subscription-manager_installed'
+ - '!package_sequoia-sq_installed'
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index ffcfd1dfe6dd..22055285f8d2 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -73,3 +73,4 @@ selections:
- '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_mac_modification_etc_selinux'
- '!audit_rules_dac_modification_fchmodat2'
+ - '!package_sequoia-sq_installed'
diff --git a/products/sle12/profiles/anssi_bp28_enhanced.profile b/products/sle12/profiles/anssi_bp28_enhanced.profile
index e82a2214f7bd..c530b0151370 100644
--- a/products/sle12/profiles/anssi_bp28_enhanced.profile
+++ b/products/sle12/profiles/anssi_bp28_enhanced.profile
@@ -35,6 +35,7 @@ selections:
- '!sysctl_kernel_unprivileged_bpf_disabled'
- '!accounts_passwords_pam_faillock_deny'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_faillock_interval'
diff --git a/products/sle12/profiles/anssi_bp28_high.profile b/products/sle12/profiles/anssi_bp28_high.profile
index f4c90347d0ed..06aff2f828db 100644
--- a/products/sle12/profiles/anssi_bp28_high.profile
+++ b/products/sle12/profiles/anssi_bp28_high.profile
@@ -39,6 +39,7 @@ selections:
- '!kernel_config_hardened_usercopy_fallback'
- '!accounts_passwords_pam_faillock_deny'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_faillock_interval'
diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile
index 98d4f4e228f2..7ad8f267e537 100644
--- a/products/sle12/profiles/anssi_bp28_intermediary.profile
+++ b/products/sle12/profiles/anssi_bp28_intermediary.profile
@@ -35,6 +35,7 @@ selections:
- '!sysctl_kernel_unprivileged_bpf_disabled'
- '!accounts_passwords_pam_faillock_deny'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_faillock_interval'
diff --git a/products/sle12/profiles/anssi_bp28_minimal.profile b/products/sle12/profiles/anssi_bp28_minimal.profile
index 68e195600e57..5910dc8d04ba 100644
--- a/products/sle12/profiles/anssi_bp28_minimal.profile
+++ b/products/sle12/profiles/anssi_bp28_minimal.profile
@@ -36,6 +36,7 @@ selections:
- '!accounts_password_pam_ocredit'
- '!accounts_password_pam_lcredit'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_faillock_deny'
- '!accounts_passwords_pam_faillock_unlock_time'
diff --git a/products/sle15/profiles/anssi_bp28_enhanced.profile b/products/sle15/profiles/anssi_bp28_enhanced.profile
index a99f736d325c..524e733a55be 100644
--- a/products/sle15/profiles/anssi_bp28_enhanced.profile
+++ b/products/sle15/profiles/anssi_bp28_enhanced.profile
@@ -35,6 +35,7 @@ selections:
- '!sysctl_kernel_unprivileged_bpf_disabled'
- '!accounts_passwords_pam_faillock_deny'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_faillock_interval'
diff --git a/products/sle15/profiles/anssi_bp28_high.profile b/products/sle15/profiles/anssi_bp28_high.profile
index e5f38cdf6b5d..0cb8cabe646f 100644
--- a/products/sle15/profiles/anssi_bp28_high.profile
+++ b/products/sle15/profiles/anssi_bp28_high.profile
@@ -40,6 +40,7 @@ selections:
- '!kernel_config_hardened_usercopy_fallback'
- '!accounts_passwords_pam_faillock_deny'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_faillock_interval'
- '!kernel_config_gcc_plugin_latent_entropy'
diff --git a/products/sle15/profiles/anssi_bp28_intermediary.profile b/products/sle15/profiles/anssi_bp28_intermediary.profile
index a61e4522e7b7..a74522ff4c84 100644
--- a/products/sle15/profiles/anssi_bp28_intermediary.profile
+++ b/products/sle15/profiles/anssi_bp28_intermediary.profile
@@ -35,6 +35,7 @@ selections:
- '!sysctl_kernel_unprivileged_bpf_disabled'
- '!accounts_passwords_pam_faillock_deny'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_faillock_interval'
- '!sysctl_kernel_yama_ptrace_scope'
diff --git a/products/sle15/profiles/anssi_bp28_minimal.profile b/products/sle15/profiles/anssi_bp28_minimal.profile
index dd3deb9b71b7..d1a31f8730de 100644
--- a/products/sle15/profiles/anssi_bp28_minimal.profile
+++ b/products/sle15/profiles/anssi_bp28_minimal.profile
@@ -36,6 +36,7 @@ selections:
- '!accounts_password_pam_ocredit'
- '!accounts_password_pam_lcredit'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!accounts_passwords_pam_faillock_deny'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_faillock_interval'
diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
index 5f9dbe5b2dd3..ca73b0dd3d85 100644
--- a/products/sle15/profiles/pci-dss-4.profile
+++ b/products/sle15/profiles/pci-dss-4.profile
@@ -42,6 +42,7 @@ selections:
- '!file_owner_user_cfg'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!ensure_redhat_gpgkey_installed'
+ - '!package_sequoia-sq_installed'
- '!ensure_almalinux_gpgkey_installed'
- '!firewalld_loopback_traffic_restricted'
- '!accounts_password_pam_lcredit'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 0c6a49b2a0fa..fbc67fb464d6 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-86458-7
CCE-86459-5
CCE-86461-1
CCE-86465-2
diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml
index e4799e7854c4..72a6baee3e83 100644
--- a/tests/data/product_stability/rhel10.yml
+++ b/tests/data/product_stability/rhel10.yml
@@ -69,6 +69,9 @@ platform_package_overrides:
zipl: s390utils-base
product: rhel10
profiles_root: ./profiles
+pqc_key_fingerprint: "FCD355B305707A62DA143AB6E422397E50FE8467A2A95343D246D6276AFEDF8F"
+pqc_pkg_release: "68e6a1f3"
+pqc_pkg_version: "05707a62"
pwhistory_path: /etc/security/pwhistory.conf
pwquality_path: /etc/security/pwquality.conf
reference_uris:
diff --git a/tests/data/profile_stability/rhel10/anssi_bp28_enhanced.profile b/tests/data/profile_stability/rhel10/anssi_bp28_enhanced.profile
index 5d88b742606e..4176a5e92ba5 100644
--- a/tests/data/profile_stability/rhel10/anssi_bp28_enhanced.profile
+++ b/tests/data/profile_stability/rhel10/anssi_bp28_enhanced.profile
@@ -212,6 +212,7 @@ package_dnf-automatic_installed
package_kea_removed
package_logrotate_installed
package_rsyslog-gnutls_installed
+package_sequoia-sq_installed
package_sssd_installed
package_sudo_installed
package_telnet-server_removed
diff --git a/tests/data/profile_stability/rhel10/anssi_bp28_high.profile b/tests/data/profile_stability/rhel10/anssi_bp28_high.profile
index 6e3ed444c3e3..9d832289398b 100644
--- a/tests/data/profile_stability/rhel10/anssi_bp28_high.profile
+++ b/tests/data/profile_stability/rhel10/anssi_bp28_high.profile
@@ -275,6 +275,7 @@ package_dnf-automatic_installed
package_kea_removed
package_logrotate_installed
package_rsyslog-gnutls_installed
+package_sequoia-sq_installed
package_setroubleshoot-plugins_removed
package_setroubleshoot-server_removed
package_setroubleshoot_removed
diff --git a/tests/data/profile_stability/rhel10/anssi_bp28_intermediary.profile b/tests/data/profile_stability/rhel10/anssi_bp28_intermediary.profile
index 33ba6f4abf7e..45f30ea89236 100644
--- a/tests/data/profile_stability/rhel10/anssi_bp28_intermediary.profile
+++ b/tests/data/profile_stability/rhel10/anssi_bp28_intermediary.profile
@@ -136,6 +136,7 @@ package_aide_installed
package_audit_installed
package_dnf-automatic_installed
package_kea_removed
+package_sequoia-sq_installed
package_sssd_installed
package_sudo_installed
package_telnet-server_removed
diff --git a/tests/data/profile_stability/rhel10/anssi_bp28_minimal.profile b/tests/data/profile_stability/rhel10/anssi_bp28_minimal.profile
index 5ba94bfde688..daa4d0fb7d2d 100644
--- a/tests/data/profile_stability/rhel10/anssi_bp28_minimal.profile
+++ b/tests/data/profile_stability/rhel10/anssi_bp28_minimal.profile
@@ -28,6 +28,7 @@ file_permissions_ungroupowned
no_files_unowned_by_user
package_dnf-automatic_installed
package_kea_removed
+package_sequoia-sq_installed
package_telnet-server_removed
package_telnet_removed
package_tftp-server_removed
diff --git a/tests/data/profile_stability/rhel10/e8.profile b/tests/data/profile_stability/rhel10/e8.profile
index 222a8b5d1408..3403e873a09c 100644
--- a/tests/data/profile_stability/rhel10/e8.profile
+++ b/tests/data/profile_stability/rhel10/e8.profile
@@ -52,6 +52,7 @@ no_empty_passwords
package_fapolicyd_installed
package_firewalld_installed
package_rsyslog_installed
+package_sequoia-sq_installed
package_squid_removed
package_telnet-server_removed
package_telnet_removed
diff --git a/tests/data/profile_stability/rhel10/hipaa.profile b/tests/data/profile_stability/rhel10/hipaa.profile
index 8369430027d3..8f155a64dd5d 100644
--- a/tests/data/profile_stability/rhel10/hipaa.profile
+++ b/tests/data/profile_stability/rhel10/hipaa.profile
@@ -120,6 +120,7 @@ no_empty_passwords
package_audit_installed
package_cron_installed
package_rsyslog_installed
+package_sequoia-sq_installed
package_telnet-server_removed
package_telnet_removed
partition_for_var_log_audit
diff --git a/tests/data/profile_stability/rhel10/ism_o.profile b/tests/data/profile_stability/rhel10/ism_o.profile
index 05934e402eb8..0c9e1510efad 100644
--- a/tests/data/profile_stability/rhel10/ism_o.profile
+++ b/tests/data/profile_stability/rhel10/ism_o.profile
@@ -102,6 +102,7 @@ package_opensc_installed
package_pcsc-lite-ccid_installed
package_pcsc-lite_installed
package_rsyslog_installed
+package_sequoia-sq_installed
package_squid_removed
package_subscription-manager_installed
package_sudo_installed
diff --git a/tests/data/profile_stability/rhel10/ism_o_secret.profile b/tests/data/profile_stability/rhel10/ism_o_secret.profile
index 4c22b4ceb23c..75c91e6c50b2 100644
--- a/tests/data/profile_stability/rhel10/ism_o_secret.profile
+++ b/tests/data/profile_stability/rhel10/ism_o_secret.profile
@@ -102,6 +102,7 @@ package_opensc_installed
package_pcsc-lite-ccid_installed
package_pcsc-lite_installed
package_rsyslog_installed
+package_sequoia-sq_installed
package_squid_removed
package_subscription-manager_installed
package_sudo_installed
diff --git a/tests/data/profile_stability/rhel10/ism_o_top_secret.profile b/tests/data/profile_stability/rhel10/ism_o_top_secret.profile
index 53ae6453bdb5..fe0855f1f63a 100644
--- a/tests/data/profile_stability/rhel10/ism_o_top_secret.profile
+++ b/tests/data/profile_stability/rhel10/ism_o_top_secret.profile
@@ -102,6 +102,7 @@ package_opensc_installed
package_pcsc-lite-ccid_installed
package_pcsc-lite_installed
package_rsyslog_installed
+package_sequoia-sq_installed
package_squid_removed
package_subscription-manager_installed
package_sudo_installed
diff --git a/tests/data/profile_stability/rhel10/ospp.profile b/tests/data/profile_stability/rhel10/ospp.profile
index e40ee57e112b..4e8be22afd63 100644
--- a/tests/data/profile_stability/rhel10/ospp.profile
+++ b/tests/data/profile_stability/rhel10/ospp.profile
@@ -100,6 +100,7 @@ package_gnutls-utils_installed
package_openscap-scanner_installed
package_openssh-clients_installed
package_openssh-server_installed
+package_sequoia-sq_installed
package_subscription-manager_installed
package_sudo_installed
package_usbguard_installed
diff --git a/tests/data/profile_stability/rhel10/pci-dss.profile b/tests/data/profile_stability/rhel10/pci-dss.profile
index 8b3c33be7f99..b89fbac1f5da 100644
--- a/tests/data/profile_stability/rhel10/pci-dss.profile
+++ b/tests/data/profile_stability/rhel10/pci-dss.profile
@@ -190,6 +190,7 @@ package_libselinux_installed
package_logrotate_installed
package_net-snmp_removed
package_nftables_installed
+package_sequoia-sq_installed
package_sudo_installed
package_telnet-server_removed
package_telnet_removed
diff --git a/tests/data/profile_stability/rhel10/stig.profile b/tests/data/profile_stability/rhel10/stig.profile
index 8f9f3adae8e3..d9709ad69bbf 100644
--- a/tests/data/profile_stability/rhel10/stig.profile
+++ b/tests/data/profile_stability/rhel10/stig.profile
@@ -382,6 +382,7 @@ package_policycoreutils_installed
package_rsyslog-gnutls_installed
package_rsyslog_installed
package_s-nail_installed
+package_sequoia-sq_installed
package_sssd_installed
package_subscription-manager_installed
package_sudo_installed
diff --git a/tests/data/profile_stability/rhel10/stig_gui.profile b/tests/data/profile_stability/rhel10/stig_gui.profile
index 67055a59f9e8..e5632d66dad0 100644
--- a/tests/data/profile_stability/rhel10/stig_gui.profile
+++ b/tests/data/profile_stability/rhel10/stig_gui.profile
@@ -379,6 +379,7 @@ package_policycoreutils_installed
package_rsyslog-gnutls_installed
package_rsyslog_installed
package_s-nail_installed
+package_sequoia-sq_installed
package_sssd_installed
package_subscription-manager_installed
package_sudo_installed