Add default domain to SSSD related remediations and fix Fedora test failures

[Arden97]

Description:

• updating ansible and bash remediations for some sssd related rules to use default domain
• adding new macros ansible_sssd_ensure_default_domain and bash_sssd_ensure_default_domain

Rationale:

• add default domain configuration to some SSSD related remediations, because when remediation configure SSSD settings (e.g., pam_cert_auth, certificate_verification, user), SSSD won't start if no domain is defined
• for sssd_enable_smartcards tests, authselect package has to be installed and configured to use sssd, because default profile is local, which has no with-smartcard feature
• sssd_run_as_sssd_user remediation fails on wrong_value.fail.sh test
  • the wrong_value.fail.sh test creates user=sssd + user=bob in the same section, then bash_ensure_ini_config finds user=sssd already matching, skips the sed and leaves user=bob untouched
  • update bash_ensure_ini_config to remove duplicated keys during remediation
• Fixes sssd.service fails to start after hardening with ism_o, stig and anssi profiles #14559

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwayland_disabled' differs.
--- xccdf_org.ssgproject.content_rule_xwayland_disabled
+++ xccdf_org.ssgproject.content_rule_xwayland_disabled
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[daemon\]([^\n\[]*\n+)+?[[:space:]]*WaylandEnable" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*WaylandEnable[[:space:]]*=[[:space:]]*false" "$f"; then
 
             sed -i "/^[[:space:]]*WaylandEnable/s/\([[:blank:]]*=[[:blank:]]*\).*/\1false/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*WaylandEnable[[:blank:]]*=/b; /^[[:space:]]*WaylandEnable[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[main\]([^\n\[]*\n+)+?[[:space:]]*install_weak_deps" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*install_weak_deps[[:space:]]*=[[:space:]]*0" "$f"; then
 
             sed -i "/^[[:space:]]*install_weak_deps/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*install_weak_deps[[:blank:]]*=/b; /^[[:space:]]*install_weak_deps[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*apply_updates[[:space:]]*=[[:space:]]*yes" "$f"; then
 
             sed -i "/^[[:space:]]*apply_updates/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*apply_updates[[:blank:]]*=/b; /^[[:space:]]*apply_updates[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*upgrade_type[[:space:]]*=[[:space:]]*security" "$f"; then
 
             sed -i "/^[[:space:]]*upgrade_type/s/\([[:blank:]]*=[[:blank:]]*\).*/\1security/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*upgrade_type[[:blank:]]*=/b; /^[[:space:]]*upgrade_type[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f"; then
 
             sed -i "/^[[:space:]]*ExecStart/s/\([[:blank:]]*=[[:blank:]]*\).*/\1\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ExecStart[[:blank:]]*=/b; /^[[:space:]]*ExecStart[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_compress' differs.
--- xccdf_org.ssgproject.content_rule_journald_compress
+++ xccdf_org.ssgproject.content_rule_journald_compress
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Compress" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*Compress[[:space:]]*=[[:space:]]*yes" "$f"; then
 
             sed -i "/^[[:space:]]*Compress/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*Compress[[:blank:]]*=/b; /^[[:space:]]*Compress[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*no" "$f"; then
 
             sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1no/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ForwardToSyslog[[:blank:]]*=/b; /^[[:space:]]*ForwardToSyslog[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*yes" "$f"; then
 
             sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ForwardToSyslog[[:blank:]]*=/b; /^[[:space:]]*ForwardToSyslog[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_storage' differs.
--- xccdf_org.ssgproject.content_rule_journald_storage
+++ xccdf_org.ssgproject.content_rule_journald_storage
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*persistent" "$f"; then
 
             sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1persistent/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*Storage[[:blank:]]*=/b; /^[[:space:]]*Storage[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
+++ xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*ProcessSizeMax" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ProcessSizeMax[[:space:]]*=[[:space:]]*0" "$f"; then
 
             sed -i "/^[[:space:]]*ProcessSizeMax/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ProcessSizeMax[[:blank:]]*=/b; /^[[:space:]]*ProcessSizeMax[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*none" "$f"; then
 
             sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1none/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*Storage[[:blank:]]*=/b; /^[[:space:]]*Storage[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -9,23 +9,41 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf"
 
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*certificate_verification[[:space:]]*=[[:space:]]*ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"; then
 
             sed -i "/^[[:space:]]*certificate_verification/s/\([[:blank:]]*=[[:blank:]]*\).*/\1ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*certificate_verification[[:blank:]]*=/b; /^[[:space:]]*certificate_verification[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -40,7 +58,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[sssd]\ncertificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -16,6 +16,74 @@
     var_sssd_certificate_verification_digest_function: !!str 
   tags:
     - always
+
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+  register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
+
+- name: Add default domain group (if no domain there)
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    section: '{{ item.section }}'
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: true
+    mode: 384
+  with_items:
+  - section: sssd
+    option: domains
+    value: default
+  - section: domain/default
+    option: id_provider
+    value: files
+  when:
+  - '"sssd-common" in ansible_facts.packages'
+  - test_grep_domain.stdout is defined
+  - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
 
 - name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
   community.general.ini_file:
@@ -36,7 +104,7 @@
   - no_reboot_needed
   - sssd_certificate_verification
 
-- name: Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf
   community.general.ini_file:
     path: /etc/sssd/conf.d/*.conf
     section: sssd

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -7,16 +7,26 @@
 umask u=rw,go=
 
 SSSD_CONF="/etc/sssd/sssd.conf"
-SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
-
-if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
-    mkdir -p /etc/sssd
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
     touch "$SSSD_CONF"
 fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 
 # Flag to check if there is already services with pam
 service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
+for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
 	if [ ! -e "$f" ]; then
 		continue
 	fi
@@ -38,7 +48,7 @@
 
 # If there was no service in [sssd], add it to first config
 if [ "$service_already_exist" = false ]; then
-    for f in $SSSD_CONF $SSSD_CONF_DIR; do
+    for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
         cat << EOF >> "$f"
 [sssd]
 services = pam

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -12,11 +12,79 @@
   - no_reboot_needed
   - sssd_enable_pam_services
 
-- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d/
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+  register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Add default domain group (if no domain there)
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    section: '{{ item.section }}'
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: true
+    mode: 384
+  with_items:
+  - section: sssd
+    option: domains
+    value: default
+  - section: domain/default
+    option: id_provider
+    value: files
+  when:
+  - '"sssd-common" in ansible_facts.packages'
+  - test_grep_domain.stdout is defined
+  - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d
     directory
   ansible.builtin.find:
     paths:
-    - /etc/sssd/conf.d/
+    - /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -31,7 +99,7 @@
   - no_reboot_needed
   - sssd_enable_pam_services
 
-- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d
     directory
   ansible.builtin.replace:
     path: '{{ item }}'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -6,21 +6,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*pam_cert_auth[[:space:]]*=[[:space:]]*True" "$f"; then
 
             sed -i "/^[[:space:]]*pam_cert_auth/s/\([[:blank:]]*=[[:blank:]]*\).*/\1True/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*pam_cert_auth[[:blank:]]*=/b; /^[[:space:]]*pam_cert_auth[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -35,7 +53,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[pam]\npam_cert_auth=True" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -12,9 +12,27 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Test for domain group
+- name: Test for domain group in main config
   ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80909-5
+  - DISA-STIG-RHEL-08-020250
+  - PCI-DSS-Req-8.3
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_smartcards
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -49,6 +67,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-80909-5
   - DISA-STIG-RHEL-08-020250
@@ -80,9 +100,9 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
   ansible.builtin.find:
-    paths: /etc/sssd/conf.d/
+    paths: /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -97,7 +117,7 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d
   ansible.builtin.replace:
     path: '{{ item.path }}'
     regexp: '[^#]*pam_cert_auth.*'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -9,21 +9,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*memcache_timeout[[:space:]]*=[[:space:]]*$var_sssd_memcache_timeout" "$f"; then
 
             sed -i "/^[[:space:]]*memcache_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_memcache_timeout/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*memcache_timeout[[:blank:]]*=/b; /^[[:space:]]*memcache_timeout[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -38,7 +56,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[nss]\nmemcache_timeout=$var_sssd_memcache_timeout" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -17,9 +17,27 @@
   tags:
     - always
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80910-3
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_memcache_timeout
+  - unknown_strategy
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -54,6 +72,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-80910-3
   - NIST-800-53-CM-6(a)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -6,21 +6,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*offline_credentials_expiration[[:space:]]*=[[:space:]]*1" "$f"; then
 
             sed -i "/^[[:space:]]*offline_credentials_expiration/s/\([[:blank:]]*=[[:blank:]]*\).*/\11/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*offline_credentials_expiration[[:blank:]]*=/b; /^[[:space:]]*offline_credentials_expiration[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -35,7 +53,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[pam]\noffline_credentials_expiration=1" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -13,9 +13,28 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82460-7
+  - DISA-STIG-RHEL-08-020290
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_offline_cred_expiration
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -51,6 +70,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-82460-7
   - DISA-STIG-RHEL-08-020290
@@ -84,9 +105,9 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
   ansible.builtin.find:
-    paths: /etc/sssd/conf.d/
+    paths: /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -102,7 +123,7 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/
+- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d
   ansible.builtin.replace:
     path: '{{ item.path }}'
     regexp: '[^#]*offline_credentials_expiration.*'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -1,28 +1,46 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q sssd-common; then
-
-MAIN_CONF="/etc/sssd/conf.d/ospp.conf"
 
 # sssd configuration files must be created with 600 permissions if they don't exist
 # otherwise the sssd module fails to start
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+MAIN_CONF="$SSSD_CONF_DIR/ospp.conf"
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*user" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*user[[:space:]]*=[[:space:]]*sssd" "$f"; then
 
             sed -i "/^[[:space:]]*user/s/\([[:blank:]]*=[[:blank:]]*\).*/\1sssd/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*user[[:blank:]]*=/b; /^[[:space:]]*user[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -37,7 +55,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[sssd]\nuser=sssd" >> "$file"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -9,21 +9,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ssh_known_hosts_timeout[[:space:]]*=[[:space:]]*$var_sssd_ssh_known_hosts_timeout" "$f"; then
 
             sed -i "/^[[:space:]]*ssh_known_hosts_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_ssh_known_hosts_timeout/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ssh_known_hosts_timeout[[:blank:]]*=/b; /^[[:space:]]*ssh_known_hosts_timeout[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -38,7 +56,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[ssh]\nssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -17,9 +17,27 @@
   tags:
     - always
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82442-5
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_ssh_known_hosts_timeout
+  - unknown_strategy
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -54,6 +72,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-82442-5
   - NIST-800-53-CM-6(a)

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.