diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid/ansible/shared.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid/ansible/shared.yml
new file mode 100644
index 00000000000..f3582f6a516
--- /dev/null
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid/ansible/shared.yml
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='allow HID devices', path='/etc/usbguard/rules.conf', regex='', new_line='allow with-interface match-all { 03:*:* }', create='yes', state='present') }}}
diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid/rule.yml
index 35039ee772c..095c6f0b5c4 100644
--- a/linux_os/guide/services/usbguard/usbguard_allow_hid/rule.yml
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid/rule.yml
@@ -23,6 +23,7 @@ severity: medium
 
 identifiers:
     cce@rhel8: CCE-82274-2
+    cce@rhel9: CCE-85990-0
 
 references:
     ospp: FMT_SMF_EXT.1
@@ -37,3 +38,9 @@ ocil: |-
     The output lines should include
     <pre>allow with-interface match-all { 03:*:* }</pre>
 
+fixtext: |-
+    Configure the USBGuard daemon to allow USB Human Interface Devices.
+
+    Add or edit the following line in "/etc/usbguard/rules.conf":
+
+    allow with-interface match-all { 03:*:* }
diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/ansible/shared.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/ansible/shared.yml
new file mode 100644
index 00000000000..13e8e46753e
--- /dev/null
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/ansible/shared.yml
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='allow HID devices and hubs', path='/etc/usbguard/rules.conf', regex='', new_line='allow with-interface match-all { 03:*:* 09:00:* }', create='yes', state='present') }}}
diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
index 4d3114e0409..bfbaaeeaad6 100644
--- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
@@ -40,3 +40,10 @@ ocil: |-
     <pre>$ sudo grep allow /etc/usbguard/rules.conf</pre>
     The output lines should include
     <pre>allow with-interface match-all { 03:*:* 09:00:* }</pre>
+
+fixtext: |-
+    Configure the USBGuard daemon to allow USB Human Interface Devices and USB hubs.
+
+    Add or edit the following line in "/etc/usbguard/rules.conf":
+
+    allow with-interface match-all { 03:*:* 09:00:* }
diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hub/ansible/shared.yml b/linux_os/guide/services/usbguard/usbguard_allow_hub/ansible/shared.yml
new file mode 100644
index 00000000000..1dfc4f12991
--- /dev/null
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hub/ansible/shared.yml
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='allow hubs', path='/etc/usbguard/rules.conf', regex='', new_line='allow with-interface match-all { 09:00:* }', create='yes', state='present') }}}
diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hub/rule.yml
index d0e11ad24f7..a5ff5255052 100644
--- a/linux_os/guide/services/usbguard/usbguard_allow_hub/rule.yml
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hub/rule.yml
@@ -35,3 +35,10 @@ ocil: |-
     <pre>$ sudo grep allow /etc/usbguard/rules.conf</pre>
     One of the output lines should be
     <pre>allow with-interface match-all { 09:00:* }</pre>
+
+fixtext: |-
+    Configure the USBGuard daemon to allow USB hubs.
+
+    Add or edit the following line in "/etc/usbguard/rules.conf"
+
+    allow with-interface match-all { 09:00:* }
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
index bd560d7718b..70f54c01434 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -57,3 +57,7 @@ template:
     name: kernel_module_disabled
     vars:
         kernmodule: usb-storage
+
+fixtext: |-
+    Configure {{{ full_name }}} to disable automated loading of the USB storage driver.
+    {{{ describe_module_disable(module="usb-storage") }}}
diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
index 7e612ed01a7..7f5088da08f 100644
--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
@@ -60,9 +60,15 @@ references:
 ocil: |-
     {{{ ocil_service_disabled(service="autofs") }}}
 
+ocil_clause: the autofs service is not disabled
+
 platform: machine
 
 template:
     name: service_disabled
     vars:
         servicename: autofs
+
+fixtext: |-
+    Configure {{{ full_name }}} to disable the ability to automount devices.
+    {{{ describe_service_disable(service="autofs") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml
index 02e9cc935f8..0dd175536db 100644
--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml
@@ -51,6 +51,11 @@ ocil: |-
     AutomaticLoginEnable=false</pre>
 
 fixtext: |-
-    {{{ fixtext_dconf_ini_file("daemon", "AutomaticLoginEnable", "false") }}}
+    Configure GDM to disable automatic login.
+
+    Set AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:
+
+    [daemon]
+    AutomaticLoginEnable=false
 
 platform: machine
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
index c9b84c9de9a..cb88275a41d 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
@@ -19,6 +19,7 @@ description: |-
     After the settings have been set, run <tt>dconf update</tt>.
 
 rationale: |-
+    Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
     Disabling automatic mounting in GNOME3 can prevent
     the introduction of malware via removable media.
     It will, however, also prevent desktop users from legitimate use
@@ -56,3 +57,8 @@ ocil: |-
     If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/automount-open</tt>
 
 platform: machine
+
+fixtext: |-
+    Configure GNOME 3 to disable automated mount of removable media.
+
+    {{{ fixtext_dconf_ini_file("org/gnome/desktop/media-handling", "automount-open", "false") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
index 3db631e74e8..b1f9143d4f2 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
@@ -19,6 +19,7 @@ description: |-
     After the settings have been set, run <tt>dconf update</tt>.
 
 rationale: |-
+    Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
     Disabling automatic mount running in GNOME3 can prevent
     the introduction of malware via removable media.
     It will, however, also prevent desktop users from legitimate use
@@ -56,3 +57,8 @@ ocil: |-
     If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>
 
 platform: machine
+
+fixtext: |-
+    Configure GNOME 3 to disable automated mount of removable media.
+
+    {{{ fixtext_dconf_ini_file("org/gnome/desktop/media-handling", "autorun-never", "true") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
index 5760a1c429e..4aa461288a2 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
@@ -81,6 +81,6 @@ ocil: |-
     {{% endif %}}
 
 fixtext: |-
-    {{{ fixtext_dconf_ini_file("/org/gnome/desktop/screensaver/lock-enabled", "lock-enabled", "true") }}}
+    {{{ fixtext_dconf_ini_file("org/gnome/desktop/screensaver/lock-enabled", "lock-enabled", "true") }}}
 
 platform: machine
diff --git a/shared/macros/fixtext.jinja b/shared/macros/fixtext.jinja
index addec0d029b..1396217ccf7 100644
--- a/shared/macros/fixtext.jinja
+++ b/shared/macros/fixtext.jinja
@@ -31,11 +31,17 @@ The audit daemon must be restarted for the changes to take effect.
 #}}
 {{%- macro fixtext_dconf_ini_file(section, parameter, value) -%}}
     The dconf settings can be edited in the /etc/dconf/db/* location.
-    Edit or add the {{{ section }}} section of the database file and add or update the following lines:
 
-    {{{parameter}}}={{{value}}}
+    First, add or update the [{{{ section }}}] section of the "/etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
 
-    Update the system databases:
+    [{{{ section }}}]
+    {{{ parameter }}}={{{ value }}}
+
+    Then, add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:
+
+    /{{{ section }}}/{{{ parameter }}}
+
+    Finally, update the dconf system databases:
 
     $ sudo dconf update
 {{%- endmacro -%}}
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index b1c8f80b545..2b9a03dea53 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -63,7 +63,6 @@ CCE-85984-3
 CCE-85985-0
 CCE-85986-8
 CCE-85988-4
-CCE-85990-0
 CCE-85997-5
 CCE-85998-3
 CCE-85999-1