Fix drop in template to ignore commented out lines#14442
Merged
jan-cerny merged 1 commit intoComplianceAsCode:masterfrom Feb 24, 2026
Merged
Conversation
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_xwayland_disabled' differs.
--- xccdf_org.ssgproject.content_rule_xwayland_disabled
+++ xccdf_org.ssgproject.content_rule_xwayland_disabled
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[daemon\]([^\n\[]*\n+)+?[[:space:]]*WaylandEnable" "$f"; then
- if ! grep -qPz "WaylandEnable=false" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[daemon\]([^\n\[]*\n+)+?[[:space:]]*WaylandEnable" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*WaylandEnable[[:space:]]*=[[:space:]]*false" "$f"; then
- sed -i "s/WaylandEnable[^(\n)]*/WaylandEnable=false/" "$f"
+ sed -i "/^[[:space:]]*WaylandEnable/s/\([[:blank:]]*=[[:blank:]]*\).*/\1false/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[daemon\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[daemon\]" "$f"; then
- sed -i "/[[:space:]]*\[daemon\]/a WaylandEnable=false" "$f"
+ sed -i "/^[[:space:]]*\[daemon\]/a WaylandEnable=false" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -7,19 +7,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[main\]([^\n\[]*\n+)+?[[:space:]]*install_weak_deps" "$f"; then
- if ! grep -qPz "install_weak_deps=0" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[main\]([^\n\[]*\n+)+?[[:space:]]*install_weak_deps" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*install_weak_deps[[:space:]]*=[[:space:]]*0" "$f"; then
- sed -i "s/install_weak_deps[^(\n)]*/install_weak_deps=0/" "$f"
+ sed -i "/^[[:space:]]*install_weak_deps/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[main\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[main\]" "$f"; then
- sed -i "/[[:space:]]*\[main\]/a install_weak_deps=0" "$f"
+ sed -i "/^[[:space:]]*\[main\]/a install_weak_deps=0" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then
- if ! grep -qPz "apply_updates=yes" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*apply_updates[[:space:]]*=[[:space:]]*yes" "$f"; then
- sed -i "s/apply_updates[^(\n)]*/apply_updates=yes/" "$f"
+ sed -i "/^[[:space:]]*apply_updates/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[commands\]" "$f"; then
- sed -i "/[[:space:]]*\[commands\]/a apply_updates=yes" "$f"
+ sed -i "/^[[:space:]]*\[commands\]/a apply_updates=yes" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
- if ! grep -qPz "upgrade_type=security" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*upgrade_type[[:space:]]*=[[:space:]]*security" "$f"; then
- sed -i "s/upgrade_type[^(\n)]*/upgrade_type=security/" "$f"
+ sed -i "/^[[:space:]]*upgrade_type/s/\([[:blank:]]*=[[:blank:]]*\).*/\1security/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[commands\]" "$f"; then
- sed -i "/[[:space:]]*\[commands\]/a upgrade_type=security" "$f"
+ sed -i "/^[[:space:]]*\[commands\]/a upgrade_type=security" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then
- if ! grep -qPz "ExecStart=\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f"; then
- sed -i "s/ExecStart[^(\n)]*/ExecStart=\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue/" "$f"
+ sed -i "/^[[:space:]]*ExecStart/s/\([[:blank:]]*=[[:blank:]]*\).*/\1\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Service\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Service\]" "$f"; then
- sed -i "/[[:space:]]*\[Service\]/a ExecStart=\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue" "$f"
+ sed -i "/^[[:space:]]*\[Service\]/a ExecStart=\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_compress' differs.
--- xccdf_org.ssgproject.content_rule_journald_compress
+++ xccdf_org.ssgproject.content_rule_journald_compress
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Compress" "$f"; then
- if ! grep -qPz "Compress=yes" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Compress" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*Compress[[:space:]]*=[[:space:]]*yes" "$f"; then
- sed -i "s/Compress[^(\n)]*/Compress=yes/" "$f"
+ sed -i "/^[[:space:]]*Compress/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a Compress=yes" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a Compress=yes" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
- if ! grep -qPz "ForwardToSyslog=no" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*no" "$f"; then
- sed -i "s/ForwardToSyslog[^(\n)]*/ForwardToSyslog=no/" "$f"
+ sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1no/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a ForwardToSyslog=no" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a ForwardToSyslog=no" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
- if ! grep -qPz "ForwardToSyslog=yes" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*yes" "$f"; then
- sed -i "s/ForwardToSyslog[^(\n)]*/ForwardToSyslog=yes/" "$f"
+ sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a ForwardToSyslog=yes" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a ForwardToSyslog=yes" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_storage' differs.
--- xccdf_org.ssgproject.content_rule_journald_storage
+++ xccdf_org.ssgproject.content_rule_journald_storage
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
- if ! grep -qPz "Storage=persistent" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*persistent" "$f"; then
- sed -i "s/Storage[^(\n)]*/Storage=persistent/" "$f"
+ sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1persistent/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Journal\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Journal\]" "$f"; then
- sed -i "/[[:space:]]*\[Journal\]/a Storage=persistent" "$f"
+ sed -i "/^[[:space:]]*\[Journal\]/a Storage=persistent" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
+++ xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*ProcessSizeMax" "$f"; then
- if ! grep -qPz "ProcessSizeMax=0" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*ProcessSizeMax" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ProcessSizeMax[[:space:]]*=[[:space:]]*0" "$f"; then
- sed -i "s/ProcessSizeMax[^(\n)]*/ProcessSizeMax=0/" "$f"
+ sed -i "/^[[:space:]]*ProcessSizeMax/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Coredump\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Coredump\]" "$f"; then
- sed -i "/[[:space:]]*\[Coredump\]/a ProcessSizeMax=0" "$f"
+ sed -i "/^[[:space:]]*\[Coredump\]/a ProcessSizeMax=0" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -10,19 +10,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
- if ! grep -qPz "Storage=none" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*none" "$f"; then
- sed -i "s/Storage[^(\n)]*/Storage=none/" "$f"
+ sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1none/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[Coredump\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[Coredump\]" "$f"; then
- sed -i "/[[:space:]]*\[Coredump\]/a Storage=none" "$f"
+ sed -i "/^[[:space:]]*\[Coredump\]/a Storage=none" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -20,19 +20,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
- if ! grep -qPz "certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*certificate_verification[[:space:]]*=[[:space:]]*ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"; then
- sed -i "s/certificate_verification[^(\n)]*/certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
+ sed -i "/^[[:space:]]*certificate_verification/s/\([[:blank:]]*=[[:blank:]]*\).*/\1ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
- sed -i "/[[:space:]]*\[sssd\]/a certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"
+ sed -i "/^[[:space:]]*\[sssd\]/a certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -15,19 +15,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
- if ! grep -qPz "pam_cert_auth=True" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*pam_cert_auth[[:space:]]*=[[:space:]]*True" "$f"; then
- sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth=True/" "$f"
+ sed -i "/^[[:space:]]*pam_cert_auth/s/\([[:blank:]]*=[[:blank:]]*\).*/\1True/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[pam\]" "$f"; then
- sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth=True" "$f"
+ sed -i "/^[[:space:]]*\[pam\]/a pam_cert_auth=True" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -18,19 +18,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then
- if ! grep -qPz "memcache_timeout=$var_sssd_memcache_timeout" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*memcache_timeout[[:space:]]*=[[:space:]]*$var_sssd_memcache_timeout" "$f"; then
- sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout=$var_sssd_memcache_timeout/" "$f"
+ sed -i "/^[[:space:]]*memcache_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_memcache_timeout/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[nss\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[nss\]" "$f"; then
- sed -i "/[[:space:]]*\[nss\]/a memcache_timeout=$var_sssd_memcache_timeout" "$f"
+ sed -i "/^[[:space:]]*\[nss\]/a memcache_timeout=$var_sssd_memcache_timeout" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -15,19 +15,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
- if ! grep -qPz "offline_credentials_expiration=1" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*offline_credentials_expiration[[:space:]]*=[[:space:]]*1" "$f"; then
- sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration=1/" "$f"
+ sed -i "/^[[:space:]]*offline_credentials_expiration/s/\([[:blank:]]*=[[:blank:]]*\).*/\11/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[pam\]" "$f"; then
- sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration=1" "$f"
+ sed -i "/^[[:space:]]*\[pam\]/a offline_credentials_expiration=1" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -17,19 +17,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*user" "$f"; then
- if ! grep -qPz "user=sssd" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*user" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*user[[:space:]]*=[[:space:]]*sssd" "$f"; then
- sed -i "s/user[^(\n)]*/user=sssd/" "$f"
+ sed -i "/^[[:space:]]*user/s/\([[:blank:]]*=[[:blank:]]*\).*/\1sssd/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
- sed -i "/[[:space:]]*\[sssd\]/a user=sssd" "$f"
+ sed -i "/^[[:space:]]*\[sssd\]/a user=sssd" "$f"
found=true
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -18,19 +18,19 @@
fi
# find key in section and change value
- if grep -qzosP "[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then
- if ! grep -qPz "ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" "$f"; then
+ if grep -qzosP "(?m)^[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*ssh_known_hosts_timeout[[:space:]]*=[[:space:]]*$var_sssd_ssh_known_hosts_timeout" "$f"; then
- sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout/" "$f"
+ sed -i "/^[[:space:]]*ssh_known_hosts_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_ssh_known_hosts_timeout/" "$f"
fi
found=true
# find section and add key = value to it
- elif grep -qs "[[:space:]]*\[ssh\]" "$f"; then
+ elif grep -qs "^[[:space:]]*\[ssh\]" "$f"; then
- sed -i "/[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" "$f"
+ sed -i "/^[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" "$f"
found=true
fi |
d34d492 to
4f24ddf
Compare
|
@ggbecker: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Collaborator
|
@ggbecker please rebase to remove the unwanted commits from the PR |
4f24ddf to
0405aa3
Compare
Member
Author
Done. |
In cases where a compliant commented out value was found,
the script would consider a found=true directive and would then ignore
the rest of the remediation.
for example, if it would find
[Journal]
\#ForwardToSyslog=no
for the rule journald_disable_forward_to_syslog, then it would not run
the entire remediation with the proper fix.
Detailed description of implemented changes
Anchor at Start of Line: Added ^ to grep and sed patterns. This ensures that a line starting with #{{{ key }}} will not match, as the regex now expects the line to start with either whitespace or the key itself.
Multiline Mode for Grep: Added (?m) to the grep -P commands. This flag makes the ^ anchor match the start of every line within the file buffer instead of just the very beginning of the file.
Selective Sed Replacement: The sed command now specifically selects the line to edit by matching the un-commented key at the start of a line (/^[[:space:]]*{{{ key }}}/) before performing the substitution (s/=.*/.../).
Active Value Verification: The second grep check now verifies if the active configuration matches the target value, preventing it from seeing a commented-out correct value and wrongly deciding that no action is needed.
0405aa3 to
5ad5bc6
Compare
jan-cerny
approved these changes
Feb 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description: