--- /srv/reproducible-results/rbuild-debian/r-b-build.5RunvC38/b1/scap-security-guide_0.1.78-1_arm64.changes
+++ /srv/reproducible-results/rbuild-debian/r-b-build.5RunvC38/b2/scap-security-guide_0.1.78-1_arm64.changes
├── Files
│ @@ -1,6 +1,6 @@
│  
│   9ba708400d9478b0e7b2967ff9944aee 153564 admin optional ssg-applications_0.1.78-1_all.deb
│   532111b3db0ce4886d0faa619666125b 32876 admin optional ssg-base_0.1.78-1_all.deb
│   a5083fde718989b0ace1e497373c6749 2380448 admin optional ssg-debderived_0.1.78-1_all.deb
│   65e6defd051759671bb2320f5dd7b1ec 2586744 admin optional ssg-debian_0.1.78-1_all.deb
│ - 9aca9b3badfb441c5efba33c6c029426 39973184 admin optional ssg-nondebian_0.1.78-1_all.deb
│ + 6de8c02fa105f76ec603519c96a95cdf 39973352 admin optional ssg-nondebian_0.1.78-1_all.deb
├── ssg-nondebian_0.1.78-1_all.deb
│ ├── file list
│ │ @@ -1,3 +1,3 @@
│ │  -rw-r--r--   0        0        0        4 2025-09-12 08:13:30.000000 debian-binary
│ │ --rw-r--r--   0        0        0    18856 2025-09-12 08:13:30.000000 control.tar.xz
│ │ --rw-r--r--   0        0        0 39954136 2025-09-12 08:13:30.000000 data.tar.xz
│ │ +-rw-r--r--   0        0        0    18844 2025-09-12 08:13:30.000000 control.tar.xz
│ │ +-rw-r--r--   0        0        0 39954316 2025-09-12 08:13:30.000000 data.tar.xz
│ ├── control.tar.xz
│ │ ├── control.tar
│ │ │ ├── ./md5sums
│ │ │ │ ├── ./md5sums
│ │ │ │ │┄ Files differ
│ ├── data.tar.xz
│ │ ├── data.tar
│ │ │ ├── ./usr/share/doc/ssg-nondebian/table-ol7-nistrefs-stig.html
│ │ │ │ @@ -8559,18 +8559,18 @@
│ │ │ │  000216e0: 6b0a 616e 6420 7573 6520 7468 6520 696e  k.and use the in
│ │ │ │  000216f0: 666f 726d 6174 696f 6e20 746f 2070 6f74  formation to pot
│ │ │ │  00021700: 656e 7469 616c 6c79 2063 6f6d 7072 6f6d  entially comprom
│ │ │ │  00021710: 6973 6520 7468 6520 696e 7465 6772 6974  ise the integrit
│ │ │ │  00021720: 7920 6f66 2074 6865 2073 7973 7465 6d20  y of the system 
│ │ │ │  00021730: 616e 640a 6e65 7477 6f72 6b28 7329 2e0a  and.network(s)..
│ │ │ │  00021740: 2020 3c2f 7464 3e0a 2020 3c74 643e 7661    </td>.  <td>va
│ │ │ │ -00021750: 725f 736e 6d70 645f 7277 5f73 7472 696e  r_snmpd_rw_strin
│ │ │ │ -00021760: 673d 6368 616e 6765 6d65 7277 3c62 722f  g=changemerw<br/
│ │ │ │ -00021770: 3e76 6172 5f73 6e6d 7064 5f72 6f5f 7374  >var_snmpd_ro_st
│ │ │ │ -00021780: 7269 6e67 3d63 6861 6e67 656d 6572 6f3c  ring=changemero<
│ │ │ │ +00021750: 725f 736e 6d70 645f 726f 5f73 7472 696e  r_snmpd_ro_strin
│ │ │ │ +00021760: 673d 6368 616e 6765 6d65 726f 3c62 722f  g=changemero<br/
│ │ │ │ +00021770: 3e76 6172 5f73 6e6d 7064 5f72 775f 7374  >var_snmpd_rw_st
│ │ │ │ +00021780: 7269 6e67 3d63 6861 6e67 656d 6572 773c  ring=changemerw<
│ │ │ │  00021790: 2f74 643e 0a3c 2f74 723e 0a3c 7472 3e0a  /td>.</tr>.<tr>.
│ │ │ │  000217a0: 2020 3c74 643e 5343 2d35 3c2f 7464 3e0a    <td>SC-5</td>.
│ │ │ │  000217b0: 2020 3c74 643e 4e2f 413c 2f74 643e 0a20    <td>N/A</td>. 
│ │ │ │  000217c0: 203c 7464 3e43 6f6e 6669 6775 7265 204b   <td>Configure K
│ │ │ │  000217d0: 6572 6e65 6c20 746f 2052 6174 6520 4c69  ernel to Rate Li
│ │ │ │  000217e0: 6d69 7420 5365 6e64 696e 6720 6f66 2044  mit Sending of D
│ │ │ │  000217f0: 7570 6c69 6361 7465 2054 4350 2041 636b  uplicate TCP Ack
│ │ │ │ ├── html2text {}
│ │ │ │ │ @@ -2893,16 +2893,16 @@
│ │ │ │ │                                                                                network management
│ │ │ │ │                                                                                protocol (SNMP)
│ │ │ │ │                                                                                community strings
│ │ │ │ │                                                                                must be changed to
│ │ │ │ │                                    Edit /etc/snmp/snmpd.conf, remove or change maintain security.
│ │ │ │ │                                    the default community strings of public and If the service is
│ │ │ │ │                                    private. This profile configures new read-  running with the
│ │ │ │ │ -        N/ Ensure Default SNMP    only community string to changemero and     default             var_snmpd_rw_string=changemerw
│ │ │ │ │ -IA-5(e) A  Password Is Not Used   read-write community string to changemerw.  authenticators,     var_snmpd_ro_string=changemero
│ │ │ │ │ +        N/ Ensure Default SNMP    only community string to changemero and     default             var_snmpd_ro_string=changemero
│ │ │ │ │ +IA-5(e) A  Password Is Not Used   read-write community string to changemerw.  authenticators,     var_snmpd_rw_string=changemerw
│ │ │ │ │                                    Once the default community strings have     then anyone can
│ │ │ │ │                                    been changed, restart the SNMP service:     gather data about
│ │ │ │ │                                    $ sudo systemctl restart snmpd              the system and the
│ │ │ │ │                                                                                network and use the
│ │ │ │ │                                                                                information to
│ │ │ │ │                                                                                potentially
│ │ │ │ │                                                                                compromise the
│ │ │ ├── ./usr/share/doc/ssg-nondebian/table-ol8-nistrefs-stig.html
│ │ │ │ @@ -24012,17 +24012,17 @@
│ │ │ │  0005dcb0: 6c69 6e67 0a74 696d 652d 6261 7365 6420  ling.time-based 
│ │ │ │  0005dcc0: 6c69 6d69 742c 2065 6666 6563 7473 206f  limit, effects o
│ │ │ │  0005dcd0: 6620 706f 7465 6e74 6961 6c20 6174 7461  f potential atta
│ │ │ │  0005dce0: 636b 7320 6167 6169 6e73 740a 656e 6372  cks against.encr
│ │ │ │  0005dcf0: 7970 7469 6f6e 206b 6579 7320 6172 6520  yption keys are 
│ │ │ │  0005dd00: 6c69 6d69 7465 642e 0a20 203c 2f74 643e  limited..  </td>
│ │ │ │  0005dd10: 0a20 203c 7464 3e76 6172 5f72 656b 6579  .  <td>var_rekey
│ │ │ │ -0005dd20: 5f6c 696d 6974 5f73 697a 653d 3147 3c62  _limit_size=1G<b
│ │ │ │ -0005dd30: 722f 3e76 6172 5f72 656b 6579 5f6c 696d  r/>var_rekey_lim
│ │ │ │ -0005dd40: 6974 5f74 696d 653d 3168 6f75 723c 2f74  it_time=1hour</t
│ │ │ │ +0005dd20: 5f6c 696d 6974 5f74 696d 653d 3168 6f75  _limit_time=1hou
│ │ │ │ +0005dd30: 723c 6272 2f3e 7661 725f 7265 6b65 795f  r<br/>var_rekey_
│ │ │ │ +0005dd40: 6c69 6d69 745f 7369 7a65 3d31 473c 2f74  limit_size=1G</t
│ │ │ │  0005dd50: 643e 0a3c 2f74 723e 0a3c 7472 3e0a 2020  d>.</tr>.<tr>.  
│ │ │ │  0005dd60: 3c74 643e 3c2f 7464 3e0a 2020 3c74 643e  <td></td>.  <td>
│ │ │ │  0005dd70: 4e2f 413c 2f74 643e 0a20 203c 7464 3e53  N/A</td>.  <td>S
│ │ │ │  0005dd80: 5348 2073 6572 7665 7220 7573 6573 2073  SH server uses s
│ │ │ │  0005dd90: 7472 6f6e 6720 656e 7472 6f70 7920 746f  trong entropy to
│ │ │ │  0005dda0: 2073 6565 643c 2f74 643e 0a20 203c 7464   seed</td>.  <td
│ │ │ │  0005ddb0: 2078 6d6c 3a6c 616e 673d 2265 6e2d 5553   xml:lang="en-US
│ │ │ │ ├── html2text {}
│ │ │ │ │ @@ -7629,16 +7629,16 @@
│ │ │ │ │                                   private key.                                          system where the
│ │ │ │ │                                                                                         associated public
│ │ │ │ │                                                                                         key has been
│ │ │ │ │                                                                                         installed.
│ │ │ │ │                                   The RekeyLimit parameter specifies how often the      By decreasing the
│ │ │ │ │                                   session key of the is renegotiated, both in terms of  limit based on the
│ │ │ │ │             Force frequent        amount of data that may be transmitted and the time   amount of data and
│ │ │ │ │ -        N/ session key           elapsed.                                              enabling time-based var_rekey_limit_size=1G
│ │ │ │ │ -        A  renegotiation         To decrease the default limits, add or correct the    limit, effects of   var_rekey_limit_time=1hour
│ │ │ │ │ +        N/ session key           elapsed.                                              enabling time-based var_rekey_limit_time=1hour
│ │ │ │ │ +        A  renegotiation         To decrease the default limits, add or correct the    limit, effects of   var_rekey_limit_size=1G
│ │ │ │ │                                   following line in /etc/ssh/sshd_config:               potential attacks
│ │ │ │ │                                   RekeyLimit 1G 1hour                                   against encryption
│ │ │ │ │                                                                                         keys are limited.
│ │ │ │ │                                                                                         SSH implementation
│ │ │ │ │                                                                                         in Oracle Linux 8
│ │ │ │ │                                                                                         uses the openssl
│ │ │ │ │                                                                                         library, which
│ │ │ ├── ./usr/share/doc/ssg-nondebian/table-rhel8-nistrefs-stig.html
│ │ │ │ @@ -24516,17 +24516,17 @@
│ │ │ │  0005fc30: 6c69 6e67 0a74 696d 652d 6261 7365 6420  ling.time-based 
│ │ │ │  0005fc40: 6c69 6d69 742c 2065 6666 6563 7473 206f  limit, effects o
│ │ │ │  0005fc50: 6620 706f 7465 6e74 6961 6c20 6174 7461  f potential atta
│ │ │ │  0005fc60: 636b 7320 6167 6169 6e73 740a 656e 6372  cks against.encr
│ │ │ │  0005fc70: 7970 7469 6f6e 206b 6579 7320 6172 6520  yption keys are 
│ │ │ │  0005fc80: 6c69 6d69 7465 642e 0a20 203c 2f74 643e  limited..  </td>
│ │ │ │  0005fc90: 0a20 203c 7464 3e76 6172 5f72 656b 6579  .  <td>var_rekey
│ │ │ │ -0005fca0: 5f6c 696d 6974 5f74 696d 653d 3168 6f75  _limit_time=1hou
│ │ │ │ -0005fcb0: 723c 6272 2f3e 7661 725f 7265 6b65 795f  r<br/>var_rekey_
│ │ │ │ -0005fcc0: 6c69 6d69 745f 7369 7a65 3d31 473c 2f74  limit_size=1G</t
│ │ │ │ +0005fca0: 5f6c 696d 6974 5f73 697a 653d 3147 3c62  _limit_size=1G<b
│ │ │ │ +0005fcb0: 722f 3e76 6172 5f72 656b 6579 5f6c 696d  r/>var_rekey_lim
│ │ │ │ +0005fcc0: 6974 5f74 696d 653d 3168 6f75 723c 2f74  it_time=1hour</t
│ │ │ │  0005fcd0: 643e 0a3c 2f74 723e 0a3c 7472 3e0a 2020  d>.</tr>.<tr>.  
│ │ │ │  0005fce0: 3c74 643e 3c2f 7464 3e0a 2020 3c74 643e  <td></td>.  <td>
│ │ │ │  0005fcf0: 4343 452d 3832 3436 322d 333c 2f74 643e  CCE-82462-3</td>
│ │ │ │  0005fd00: 0a20 203c 7464 3e53 5348 2073 6572 7665  .  <td>SSH serve
│ │ │ │  0005fd10: 7220 7573 6573 2073 7472 6f6e 6720 656e  r uses strong en
│ │ │ │  0005fd20: 7472 6f70 7920 746f 2073 6565 643c 2f74  tropy to seed</t
│ │ │ │  0005fd30: 643e 0a20 203c 7464 2078 6d6c 3a6c 616e  d>.  <td xml:lan
│ │ │ │ ├── html2text {}
│ │ │ │ │ @@ -7638,16 +7638,16 @@
│ │ │ │ │                                       corresponding private key.                            system where the
│ │ │ │ │                                                                                             associated public
│ │ │ │ │                                                                                             key has been
│ │ │ │ │                                                                                             installed.
│ │ │ │ │                                       The RekeyLimit parameter specifies how often the      By decreasing the
│ │ │ │ │                                       session key of the is renegotiated, both in terms of  limit based on the
│ │ │ │ │          CCE-   Force frequent        amount of data that may be transmitted and the time   amount of data and
│ │ │ │ │ -        82177- session key           elapsed.                                              enabling time-based var_rekey_limit_time=1hour
│ │ │ │ │ -        7      renegotiation         To decrease the default limits, add or correct the    limit, effects of   var_rekey_limit_size=1G
│ │ │ │ │ +        82177- session key           elapsed.                                              enabling time-based var_rekey_limit_size=1G
│ │ │ │ │ +        7      renegotiation         To decrease the default limits, add or correct the    limit, effects of   var_rekey_limit_time=1hour
│ │ │ │ │                                       following line in /etc/ssh/sshd_config:               potential attacks
│ │ │ │ │                                       RekeyLimit 1G 1hour                                   against encryption
│ │ │ │ │                                                                                             keys are limited.
│ │ │ │ │                                                                                             SSH implementation
│ │ │ │ │                                                                                             in Red Hat
│ │ │ │ │                                                                                             Enterprise Linux 8
│ │ │ │ │                                                                                             uses the openssl
│ │ │ ├── ./usr/share/scap-security-guide/tailoring/ol8_stig_delta_tailoring.xml
│ │ │ │ ├── ./usr/share/scap-security-guide/tailoring/ol8_stig_delta_tailoring.xml
│ │ │ │ │ @@ -1,10 +1,10 @@
│ │ │ │ │  <?xml version="1.0" encoding="utf-8"?>
│ │ │ │ │  <xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default">
│ │ │ │ │ -  <xccdf-1.2:version time="2025-09-11T20:13:30">1</xccdf-1.2:version>
│ │ │ │ │ +  <xccdf-1.2:version time="2025-09-12T22:13:30">1</xccdf-1.2:version>
│ │ │ │ │    <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig">
│ │ │ │ │      <xccdf-1.2:title override="true">DISA STIG for Oracle Linux 8</xccdf-1.2:title>
│ │ │ │ │      <xccdf-1.2:description override="true">This profile contains configuration checks that align to the
│ │ │ │ │  DISA STIG for Oracle Linux 8 V2R4.</xccdf-1.2:description>
│ │ │ │ │      <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_account_disable_inactivity_password_auth" selected="false"/>
│ │ │ │ │      <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_account_disable_inactivity_system_auth" selected="false"/>
│ │ │ │ │      <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="false"/>
│ │ │ ├── ./usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml
│ │ │ │ ├── ./usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml
│ │ │ │ │ @@ -1,10 +1,10 @@
│ │ │ │ │  <?xml version="1.0" encoding="utf-8"?>
│ │ │ │ │  <xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default">
│ │ │ │ │ -  <xccdf-1.2:version time="2025-09-11T20:13:30">1</xccdf-1.2:version>
│ │ │ │ │ +  <xccdf-1.2:version time="2025-09-12T22:13:30">1</xccdf-1.2:version>
│ │ │ │ │    <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig">
│ │ │ │ │      <xccdf-1.2:title override="true">DISA STIG for Red Hat Enterprise Linux 8</xccdf-1.2:title>
│ │ │ │ │      <xccdf-1.2:description override="true">This profile contains configuration checks that align to the
│ │ │ │ │  DISA STIG for Red Hat Enterprise Linux 8 V2R4.
│ │ │ │ │  
│ │ │ │ │  In addition to being applicable to Red Hat Enterprise Linux 8, this
│ │ │ │ │  configuration baseline is applicable to the operating system tier of