[Stabilization] Fix drop in template to ignore commented out lines#14441
Merged
jan-cerny merged 1 commit intoComplianceAsCode:stabilizationfrom Feb 23, 2026
Merged
Conversation
3fd5c0e to
42e42a5
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' differs.
--- oval:ssg-installed_OS_is_vendor_supported:def:1
+++ oval:ssg-installed_OS_is_vendor_supported:def:1
@@ -11,5 +11,4 @@
extend_definition oval:ssg-installed_OS_is_sle16:def:1
extend_definition oval:ssg-installed_OS_is_slmicro5:def:1
extend_definition oval:ssg-installed_OS_is_slmicro6:def:1
-extend_definition oval:ssg-installed_OS_is_ubuntu2204:def:1
extend_definition oval:ssg-installed_OS_is_ubuntu2404:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwayland_disabled' differs.
--- xccdf_org.ssgproject.content_rule_xwayland_disabled
+++ xccdf_org.ssgproject.content_rule_xwayland_disabled
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[daemon\]([^\n\[]*\n+)+?[[:space:]]*WaylandEnable" "$f"; then
- if ! grep -qPz "WaylandEnable=false" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[daemon\]([^\n\[]*\n+)+?[[:space:]]*WaylandEnable" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*WaylandEnable[[:space:]]*=[[:space:]]*false" "$f"; then
- sed -i "s/WaylandEnable[^(\n)]*/WaylandEnable=false/" "$f"
+ sed -i "/^[[:space:]]*WaylandEnable/s/\([[:blank:]]*=[[:blank:]]*\).*/\1false/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[daemon\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[daemon\]" "$f"; then
- sed -i "/[[:space:]]*\[daemon\]/a WaylandEnable=false" "$f"
+ sed -i "/^[[:space:]]*\[daemon\]/a WaylandEnable=false" "$f"
found=true
fi
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
-automount to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount
If properly configured, the output for automount should be false.
To ensure that users cannot enable automount in GNOME3, run the following:
-$ grep 'automount' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
-automount-open to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
-$ grep 'automount-open' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
-autorun-never to true in /etc/dconf/db/gdm.d/00-security-settings.
+autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
-$ grep 'autorun-never' /etc/dconf/db/gdm.d/locks/*
+$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
Is it the case that GNOME autorun is not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -6,12 +6,12 @@
By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino authentication-methods
If properly configured, the output should be false.
To ensure that users cannot disable credentials for remote access, run the following:
-$ grep authentication-methods /etc/dconf/db/gdm.d/locks/*
+$ grep authentication-methods /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/authentication-methods
Is it the case that wireless network notification is enabled and not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -6,12 +6,12 @@
By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino require-encrpytion
If properly configured, the output should be true.
To ensure that users cannot disable encrypted remote connections, run the following:
-$ grep require-encryption /etc/dconf/db/gdm.d/locks/*
+$ grep require-encryption /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/require-encryption
Is it the case that remote access connections are not encrypted?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -5,11 +5,11 @@
[description]:
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
-$ grep idle-activation-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
Is it the case that idle-activation-enabled is not enabled or configured?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -4,12 +4,12 @@
[description]:
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
-and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
+setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
+and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/gdm.d/00-security-settings:
+/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-$ grep idle-delay /etc/dconf/db/gdm.d/locks/*
+$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -2,7 +2,6 @@
if rpm --quiet -q gdm; then
inactivity_timeout_value=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -6,7 +6,7 @@
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -1,8 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
+# apply fix for enable_dconf_user_profile, OVAL checks it
+
+
var_screensaver_lock_delay=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -5,12 +5,12 @@
[description]:
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
@@ -3,7 +3,7 @@
$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
-$ grep lock-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -76,7 +76,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Enable GNOME3 Screensaver
Lock After Idle Period
community.general.ini_file:
- dest: /etc/dconf/db/gdm.d/00-security-settings
+ dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/lockdown
option: disable-lock-screen
value: 'false'
@@ -105,7 +105,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Prevent user modification
of GNOME disable-lock-screen
ansible.builtin.lineinfile:
- path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/lockdown/disable-lock-screen$
line: /org/gnome/desktop/lockdown/disable-lock-screen
create: true
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -5,12 +5,12 @@
[description]:
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
@@ -3,7 +3,7 @@
If properly configured, the output should be ''.
To ensure that users cannot set the screensaver background, run the following:
-$ grep picture-uri /etc/dconf/db/gdm.d/locks/*
+$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
Is it the case that it is not set or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'lock-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
Is it the case that GNOME3 session settings are not locked or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'idle-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is not locked?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -7,19 +7,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[main\]([^\n\[]*\n+)+?[[:space:]]*install_weak_deps" "$f"; then
- if ! grep -qPz "install_weak_deps=0" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[main\]([^\n\[]*\n+)+?[[:space:]]*install_weak_deps" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*install_weak_deps[[:space:]]*=[[:space:]]*0" "$f"; then
- sed -i "s/install_weak_deps[^(\n)]*/install_weak_deps=0/" "$f"
+ sed -i "/^[[:space:]]*install_weak_deps/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[main\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[main\]" "$f"; then
- sed -i "/[[:space:]]*\[main\]/a install_weak_deps=0" "$f"
+ sed -i "/^[[:space:]]*\[main\]/a install_weak_deps=0" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then
- if ! grep -qPz "apply_updates=yes" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*apply_updates[[:space:]]*=[[:space:]]*yes" "$f"; then
- sed -i "s/apply_updates[^(\n)]*/apply_updates=yes/" "$f"
+ sed -i "/^[[:space:]]*apply_updates/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[commands\]" "$f"; then
- sed -i "/[[:space:]]*\[commands\]/a apply_updates=yes" "$f"
+ sed -i "/^[[:space:]]*\[commands\]/a apply_updates=yes" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
- if ! grep -qPz "upgrade_type=security" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*upgrade_type[[:space:]]*=[[:space:]]*security" "$f"; then
- sed -i "s/upgrade_type[^(\n)]*/upgrade_type=security/" "$f"
+ sed -i "/^[[:space:]]*upgrade_type/s/\([[:blank:]]*=[[:blank:]]*\).*/\1security/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[commands\]" "$f"; then
- sed -i "/[[:space:]]*\[commands\]/a upgrade_type=security" "$f"
+ sed -i "/^[[:space:]]*\[commands\]/a upgrade_type=security" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then
- if ! grep -qPz "ExecStart=\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f"; then
- sed -i "s/ExecStart[^(\n)]*/ExecStart=\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue/" "$f"
+ sed -i "/^[[:space:]]*ExecStart/s/\([[:blank:]]*=[[:blank:]]*\).*/\1\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Service\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Service\]" "$f"; then
- sed -i "/[[:space:]]*\[Service\]/a ExecStart=\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue" "$f"
+ sed -i "/^[[:space:]]*\[Service\]/a ExecStart=\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue" "$f"
found=true
fi
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -4,8 +4,8 @@
[description]:
If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed, locked
-or have their UID changed.
+be investigated and the accounts other than root should be removed or have
+their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
+++ ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
@@ -2,7 +2,5 @@
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
-Also make sure that if non-root account with UID "0" exist, it is locked:
-$ grep -E '^[^:]+:[!*][^:]*:.*$' /etc/shadow
Is it the case that any accounts other than "root" have a UID of "0"?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -44,7 +44,7 @@
- name: Lock the password of the user accounts other than root with uid 0
ansible.builtin.command: passwd -l {{ item.key }}
- loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''equalto'', ''root'')
+ loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'')
| list }}'
when:
- '"kernel-core" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_compress' differs.
--- xccdf_org.ssgproject.content_rule_journald_compress
+++ xccdf_org.ssgproject.content_rule_journald_compress
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Compress" "$f"; then
- if ! grep -qPz "Compress=yes" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Compress" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*Compress[[:space:]]*=[[:space:]]*yes" "$f"; then
- sed -i "s/Compress[^(\n)]*/Compress=yes/" "$f"
+ sed -i "/^[[:space:]]*Compress/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a Compress=yes" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a Compress=yes" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
- if ! grep -qPz "ForwardToSyslog=no" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*no" "$f"; then
- sed -i "s/ForwardToSyslog[^(\n)]*/ForwardToSyslog=no/" "$f"
+ sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1no/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a ForwardToSyslog=no" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a ForwardToSyslog=no" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
- if ! grep -qPz "ForwardToSyslog=yes" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*yes" "$f"; then
- sed -i "s/ForwardToSyslog[^(\n)]*/ForwardToSyslog=yes/" "$f"
+ sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a ForwardToSyslog=yes" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a ForwardToSyslog=yes" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_storage' differs.
--- xccdf_org.ssgproject.content_rule_journald_storage
+++ xccdf_org.ssgproject.content_rule_journald_storage
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
- if ! grep -qPz "Storage=persistent" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*persistent" "$f"; then
- sed -i "s/Storage[^(\n)]*/Storage=persistent/" "$f"
+ sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1persistent/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a Storage=persistent" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a Storage=persistent" "$f"
found=true
fi
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs' differs.
--- ocil:ssg-file_groupownership_system_commands_dirs_ocil:questionnaire:1
+++ ocil:ssg-file_groupownership_system_commands_dirs_ocil:questionnaire:1
@@ -1,4 +1,5 @@
Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:
+
$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
Is it the case that any system commands are returned and is not group-owned by a required system account?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
+++ xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*ProcessSizeMax" "$f"; then
- if ! grep -qPz "ProcessSizeMax=0" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*ProcessSizeMax" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ProcessSizeMax[[:space:]]*=[[:space:]]*0" "$f"; then
- sed -i "s/ProcessSizeMax[^(\n)]*/ProcessSizeMax=0/" "$f"
+ sed -i "/^[[:space:]]*ProcessSizeMax/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Coredump\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Coredump\]" "$f"; then
- sed -i "/[[:space:]]*\[Coredump\]/a ProcessSizeMax=0" "$f"
+ sed -i "/^[[:space:]]*\[Coredump\]/a ProcessSizeMax=0" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
- if ! grep -qPz "Storage=none" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*none" "$f"; then
- sed -i "s/Storage[^(\n)]*/Storage=none/" "$f"
+ sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1none/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Coredump\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Coredump\]" "$f"; then
- sed -i "/[[:space:]]*\[Coredump\]/a Storage=none" "$f"
+ sed -i "/^[[:space:]]*\[Coredump\]/a Storage=none" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -20,19 +20,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
- if ! grep -qPz "certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*certificate_verification[[:space:]]*=[[:space:]]*ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"; then
- sed -i "s/certificate_verification[^(\n)]*/certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
+ sed -i "/^[[:space:]]*certificate_verification/s/\([[:blank:]]*=[[:blank:]]*\).*/\1ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
- sed -i "/[[:space:]]*\[sssd\]/a certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"
+ sed -i "/^[[:space:]]*\[sssd\]/a certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -15,19 +15,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
- if ! grep -qPz "pam_cert_auth=True" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*pam_cert_auth[[:space:]]*=[[:space:]]*True" "$f"; then
- sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth=True/" "$f"
+ sed -i "/^[[:space:]]*pam_cert_auth/s/\([[:blank:]]*=[[:blank:]]*\).*/\1True/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[pam\]" "$f"; then
- sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth=True" "$f"
+ sed -i "/^[[:space:]]*\[pam\]/a pam_cert_auth=True" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -18,19 +18,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then
- if ! grep -qPz "memcache_timeout=$var_sssd_memcache_timeout" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*memcache_timeout[[:space:]]*=[[:space:]]*$var_sssd_memcache_timeout" "$f"; then
- sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout=$var_sssd_memcache_timeout/" "$f"
+ sed -i "/^[[:space:]]*memcache_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_memcache_timeout/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[nss\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[nss\]" "$f"; then
- sed -i "/[[:space:]]*\[nss\]/a memcache_timeout=$var_sssd_memcache_timeout" "$f"
+ sed -i "/^[[:space:]]*\[nss\]/a memcache_timeout=$var_sssd_memcache_timeout" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -15,19 +15,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
- if ! grep -qPz "offline_credentials_expiration=1" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*offline_credentials_expiration[[:space:]]*=[[:space:]]*1" "$f"; then
- sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration=1/" "$f"
+ sed -i "/^[[:space:]]*offline_credentials_expiration/s/\([[:blank:]]*=[[:blank:]]*\).*/\11/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[pam\]" "$f"; then
- sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration=1" "$f"
+ sed -i "/^[[:space:]]*\[pam\]/a offline_credentials_expiration=1" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -17,19 +17,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*user" "$f"; then
- if ! grep -qPz "user=sssd" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*user" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*user[[:space:]]*=[[:space:]]*sssd" "$f"; then
- sed -i "s/user[^(\n)]*/user=sssd/" "$f"
+ sed -i "/^[[:space:]]*user/s/\([[:blank:]]*=[[:blank:]]*\).*/\1sssd/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
- sed -i "/[[:space:]]*\[sssd\]/a user=sssd" "$f"
+ sed -i "/^[[:space:]]*\[sssd\]/a user=sssd" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -18,19 +18,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then
- if ! grep -qPz "ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ssh_known_hosts_timeout[[:space:]]*=[[:space:]]*$var_sssd_ssh_known_hosts_timeout" "$f"; then
- sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout/" "$f"
+ sed -i "/^[[:space:]]*ssh_known_hosts_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_ssh_known_hosts_timeout/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[ssh\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[ssh\]" "$f"; then
- sed -i "/[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" "$f"
+ sed -i "/^[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -8,7 +8,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C uid!=euid -F euid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
@@ -326,7 +328,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C gid!=egid -F egid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
|
In cases where a compliant commented out value was found,
the script would consider a found=true directive and would then ignore
the rest of the remediation.
for example, if it would find
[Journal]
\#ForwardToSyslog=no
for the rule journald_disable_forward_to_syslog, then it would not run
the entire remediation with the proper fix.
Detailed description of implemented changes
Anchor at Start of Line: Added ^ to grep and sed patterns. This ensures that a line starting with #{{{ key }}} will not match, as the regex now expects the line to start with either whitespace or the key itself.
Multiline Mode for Grep: Added (?m) to the grep -P commands. This flag makes the ^ anchor match the start of every line within the file buffer instead of just the very beginning of the file.
Selective Sed Replacement: The sed command now specifically selects the line to edit by matching the un-commented key at the start of a line (/^[[:space:]]*{{{ key }}}/) before performing the substitution (s/=.*/.../).
Active Value Verification: The second grep check now verifies if the active configuration matches the target value, preventing it from seeing a commented-out correct value and wrongly deciding that no action is needed.
42e42a5 to
ac284b3
Compare
jan-cerny
approved these changes
Feb 23, 2026
Collaborator
jan-cerny
left a comment
There was a problem hiding this comment.
I haven't found any problems in the PR. Moreover, I have run automatus tests for rule journald_compress and they path both with bash and ansible. Thanks for your fix.
jcerny@fedora:~/work/git/scap-security-guide (pr/14441)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 journald_compress
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-02-23-1701/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_journald_compress
INFO - Script wrong_dir_spaces.fail.sh using profile (all) OK
INFO - Script correct_dir.pass.sh using profile (all) OK
INFO - Script multiple_vals.fail.sh using profile (all) OK
INFO - Script correct_dir_spaces.pass.sh using profile (all) OK
INFO - Script correct_master.pass.sh using profile (all) OK
INFO - Script wrong_master.fail.sh using profile (all) OK
INFO - Script commented_out_correct_value_master.fail.sh using profile (all) OK
INFO - Script wrong_dir.fail.sh using profile (all) OK
INFO - Script correct_value_in_quotes.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/14441)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible journald_compress
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-02-23-1705/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_journald_compress
INFO - Script wrong_dir.fail.sh using profile (all) OK
INFO - Script correct_dir_spaces.pass.sh using profile (all) OK
INFO - Script commented_out_correct_value_master.fail.sh using profile (all) OK
INFO - Script correct_dir.pass.sh using profile (all) OK
INFO - Script correct_master.pass.sh using profile (all) OK
INFO - Script multiple_vals.fail.sh using profile (all) OK
INFO - Script wrong_dir_spaces.fail.sh using profile (all) OK
INFO - Script wrong_master.fail.sh using profile (all) OK
INFO - Script correct_value_in_quotes.fail.sh using profile (all) OK
``
2e96ab5
into
ComplianceAsCode:stabilization
47 of 49 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description: