Skip to content

Add default domain to SSSD related remediations and fix Fedora test failures#14726

Draft
Arden97 wants to merge 2 commits into
ComplianceAsCode:masterfrom
Arden97:sssd_fails
Draft

Add default domain to SSSD related remediations and fix Fedora test failures#14726
Arden97 wants to merge 2 commits into
ComplianceAsCode:masterfrom
Arden97:sssd_fails

Conversation

@Arden97
Copy link
Copy Markdown
Contributor

@Arden97 Arden97 commented May 20, 2026

Description:

  • updating ansible and bash remediations for some sssd related rules to use default domain
  • adding new macros ansible_sssd_ensure_default_domain and bash_sssd_ensure_default_domain

Rationale:

  • add default domain configuration to some SSSD related remediations, because when remediation configure SSSD settings (e.g., pam_cert_auth, certificate_verification, user), SSSD won't start if no domain is defined
  • for sssd_enable_smartcards tests, authselect package has to be installed and configured to use sssd, because default profile is local, which has no with-smartcard feature
  • sssd_run_as_sssd_user remediation fails on wrong_value.fail.sh test
    • the wrong_value.fail.sh test creates user=sssd + user=bob in the same section, then bash_ensure_ini_config finds user=sssd already matching, skips the sed and leaves user=bob untouched
    • update bash_ensure_ini_config to remove duplicated keys during remediation
  • Fixes sssd.service fails to start after hardening with ism_o, stig and anssi profiles #14559

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 20, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label May 20, 2026
@Arden97 Arden97 added this to the 0.1.82 milestone May 20, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwayland_disabled' differs.
--- xccdf_org.ssgproject.content_rule_xwayland_disabled
+++ xccdf_org.ssgproject.content_rule_xwayland_disabled
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[daemon\]([^\n\[]*\n+)+?[[:space:]]*WaylandEnable" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*WaylandEnable[[:space:]]*=[[:space:]]*false" "$f"; then
 
             sed -i "/^[[:space:]]*WaylandEnable/s/\([[:blank:]]*=[[:blank:]]*\).*/\1false/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*WaylandEnable[[:blank:]]*=/b; /^[[:space:]]*WaylandEnable[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[main\]([^\n\[]*\n+)+?[[:space:]]*install_weak_deps" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*install_weak_deps[[:space:]]*=[[:space:]]*0" "$f"; then
 
             sed -i "/^[[:space:]]*install_weak_deps/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*install_weak_deps[[:blank:]]*=/b; /^[[:space:]]*install_weak_deps[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*apply_updates[[:space:]]*=[[:space:]]*yes" "$f"; then
 
             sed -i "/^[[:space:]]*apply_updates/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*apply_updates[[:blank:]]*=/b; /^[[:space:]]*apply_updates[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*upgrade_type[[:space:]]*=[[:space:]]*security" "$f"; then
 
             sed -i "/^[[:space:]]*upgrade_type/s/\([[:blank:]]*=[[:blank:]]*\).*/\1security/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*upgrade_type[[:blank:]]*=/b; /^[[:space:]]*upgrade_type[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Service\]([^\n\[]*\n+)+?[[:space:]]*ExecStart" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" "$f"; then
 
             sed -i "/^[[:space:]]*ExecStart/s/\([[:blank:]]*=[[:blank:]]*\).*/\1\nExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell rescue/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ExecStart[[:blank:]]*=/b; /^[[:space:]]*ExecStart[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_compress' differs.
--- xccdf_org.ssgproject.content_rule_journald_compress
+++ xccdf_org.ssgproject.content_rule_journald_compress
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Compress" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*Compress[[:space:]]*=[[:space:]]*yes" "$f"; then
 
             sed -i "/^[[:space:]]*Compress/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*Compress[[:blank:]]*=/b; /^[[:space:]]*Compress[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*no" "$f"; then
 
             sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1no/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ForwardToSyslog[[:blank:]]*=/b; /^[[:space:]]*ForwardToSyslog[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*ForwardToSyslog" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ForwardToSyslog[[:space:]]*=[[:space:]]*yes" "$f"; then
 
             sed -i "/^[[:space:]]*ForwardToSyslog/s/\([[:blank:]]*=[[:blank:]]*\).*/\1yes/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ForwardToSyslog[[:blank:]]*=/b; /^[[:space:]]*ForwardToSyslog[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_storage' differs.
--- xccdf_org.ssgproject.content_rule_journald_storage
+++ xccdf_org.ssgproject.content_rule_journald_storage
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Journal\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*persistent" "$f"; then
 
             sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1persistent/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*Storage[[:blank:]]*=/b; /^[[:space:]]*Storage[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
+++ xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*ProcessSizeMax" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ProcessSizeMax[[:space:]]*=[[:space:]]*0" "$f"; then
 
             sed -i "/^[[:space:]]*ProcessSizeMax/s/\([[:blank:]]*=[[:blank:]]*\).*/\10/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ProcessSizeMax[[:blank:]]*=/b; /^[[:space:]]*ProcessSizeMax[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -11,11 +11,12 @@
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[Coredump\]([^\n\[]*\n+)+?[[:space:]]*Storage" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*Storage[[:space:]]*=[[:space:]]*none" "$f"; then
 
             sed -i "/^[[:space:]]*Storage/s/\([[:blank:]]*=[[:blank:]]*\).*/\1none/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*Storage[[:blank:]]*=/b; /^[[:space:]]*Storage[[:blank:]]*=/d' "$f"
 
         found=true
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -9,23 +9,41 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf"
 
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*certificate_verification[[:space:]]*=[[:space:]]*ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"; then
 
             sed -i "/^[[:space:]]*certificate_verification/s/\([[:blank:]]*=[[:blank:]]*\).*/\1ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*certificate_verification[[:blank:]]*=/b; /^[[:space:]]*certificate_verification[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -40,7 +58,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[sssd]\ncertificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -16,6 +16,74 @@
     var_sssd_certificate_verification_digest_function: !!str 
   tags:
     - always
+
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+  register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
+
+- name: Add default domain group (if no domain there)
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    section: '{{ item.section }}'
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: true
+    mode: 384
+  with_items:
+  - section: sssd
+    option: domains
+    value: default
+  - section: domain/default
+    option: id_provider
+    value: files
+  when:
+  - '"sssd-common" in ansible_facts.packages'
+  - test_grep_domain.stdout is defined
+  - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
 
 - name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
   community.general.ini_file:
@@ -36,7 +104,7 @@
   - no_reboot_needed
   - sssd_certificate_verification
 
-- name: Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf
   community.general.ini_file:
     path: /etc/sssd/conf.d/*.conf
     section: sssd

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -7,16 +7,26 @@
 umask u=rw,go=
 
 SSSD_CONF="/etc/sssd/sssd.conf"
-SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
-
-if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
-    mkdir -p /etc/sssd
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
     touch "$SSSD_CONF"
 fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 
 # Flag to check if there is already services with pam
 service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
+for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
 	if [ ! -e "$f" ]; then
 		continue
 	fi
@@ -38,7 +48,7 @@
 
 # If there was no service in [sssd], add it to first config
 if [ "$service_already_exist" = false ]; then
-    for f in $SSSD_CONF $SSSD_CONF_DIR; do
+    for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
         cat << EOF >> "$f"
 [sssd]
 services = pam

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -12,11 +12,79 @@
   - no_reboot_needed
   - sssd_enable_pam_services
 
-- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d/
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+  register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Add default domain group (if no domain there)
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    section: '{{ item.section }}'
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: true
+    mode: 384
+  with_items:
+  - section: sssd
+    option: domains
+    value: default
+  - section: domain/default
+    option: id_provider
+    value: files
+  when:
+  - '"sssd-common" in ansible_facts.packages'
+  - test_grep_domain.stdout is defined
+  - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d
     directory
   ansible.builtin.find:
     paths:
-    - /etc/sssd/conf.d/
+    - /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -31,7 +99,7 @@
   - no_reboot_needed
   - sssd_enable_pam_services
 
-- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d
     directory
   ansible.builtin.replace:
     path: '{{ item }}'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -6,21 +6,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*pam_cert_auth[[:space:]]*=[[:space:]]*True" "$f"; then
 
             sed -i "/^[[:space:]]*pam_cert_auth/s/\([[:blank:]]*=[[:blank:]]*\).*/\1True/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*pam_cert_auth[[:blank:]]*=/b; /^[[:space:]]*pam_cert_auth[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -35,7 +53,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[pam]\npam_cert_auth=True" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -12,9 +12,27 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Test for domain group
+- name: Test for domain group in main config
   ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80909-5
+  - DISA-STIG-RHEL-08-020250
+  - PCI-DSS-Req-8.3
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_smartcards
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -49,6 +67,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-80909-5
   - DISA-STIG-RHEL-08-020250
@@ -80,9 +100,9 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
   ansible.builtin.find:
-    paths: /etc/sssd/conf.d/
+    paths: /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -97,7 +117,7 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d
   ansible.builtin.replace:
     path: '{{ item.path }}'
     regexp: '[^#]*pam_cert_auth.*'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -9,21 +9,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*memcache_timeout[[:space:]]*=[[:space:]]*$var_sssd_memcache_timeout" "$f"; then
 
             sed -i "/^[[:space:]]*memcache_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_memcache_timeout/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*memcache_timeout[[:blank:]]*=/b; /^[[:space:]]*memcache_timeout[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -38,7 +56,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[nss]\nmemcache_timeout=$var_sssd_memcache_timeout" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -17,9 +17,27 @@
   tags:
     - always
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80910-3
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_memcache_timeout
+  - unknown_strategy
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -54,6 +72,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-80910-3
   - NIST-800-53-CM-6(a)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -6,21 +6,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*offline_credentials_expiration[[:space:]]*=[[:space:]]*1" "$f"; then
 
             sed -i "/^[[:space:]]*offline_credentials_expiration/s/\([[:blank:]]*=[[:blank:]]*\).*/\11/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*offline_credentials_expiration[[:blank:]]*=/b; /^[[:space:]]*offline_credentials_expiration[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -35,7 +53,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[pam]\noffline_credentials_expiration=1" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -13,9 +13,28 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82460-7
+  - DISA-STIG-RHEL-08-020290
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_offline_cred_expiration
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -51,6 +70,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-82460-7
   - DISA-STIG-RHEL-08-020290
@@ -84,9 +105,9 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
   ansible.builtin.find:
-    paths: /etc/sssd/conf.d/
+    paths: /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -102,7 +123,7 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/
+- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d
   ansible.builtin.replace:
     path: '{{ item.path }}'
     regexp: '[^#]*offline_credentials_expiration.*'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -1,28 +1,46 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q sssd-common; then
-
-MAIN_CONF="/etc/sssd/conf.d/ospp.conf"
 
 # sssd configuration files must be created with 600 permissions if they don't exist
 # otherwise the sssd module fails to start
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+MAIN_CONF="$SSSD_CONF_DIR/ospp.conf"
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*user" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*user[[:space:]]*=[[:space:]]*sssd" "$f"; then
 
             sed -i "/^[[:space:]]*user/s/\([[:blank:]]*=[[:blank:]]*\).*/\1sssd/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*user[[:blank:]]*=/b; /^[[:space:]]*user[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -37,7 +55,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[sssd]\nuser=sssd" >> "$file"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -9,21 +9,39 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain/' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+cat >> "$SSSD_CONF" << EOF
+
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
     if [ ! -e "$f" ]; then
         continue
     fi
 
     # find key in section and change value
     if grep -qzosP "(?m)^[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then
-        if ! grep -qzosP "(?m)^[[:space:]]*ssh_known_hosts_timeout[[:space:]]*=[[:space:]]*$var_sssd_ssh_known_hosts_timeout" "$f"; then
 
             sed -i "/^[[:space:]]*ssh_known_hosts_timeout/s/\([[:blank:]]*=[[:blank:]]*\).*/\1$var_sssd_ssh_known_hosts_timeout/" "$f"
 
-        fi
+
+        # remove duplicate key lines, keep only the first occurrence
+        sed -i '0,/^[[:space:]]*ssh_known_hosts_timeout[[:blank:]]*=/b; /^[[:space:]]*ssh_known_hosts_timeout[[:blank:]]*=/d' "$f"
 
         found=true
 
@@ -38,7 +56,7 @@
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[ssh]\nssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -17,9 +17,27 @@
   tags:
     - always
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82442-5
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_ssh_known_hosts_timeout
+  - unknown_strategy
+
+- name: Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
   failed_when: false
   changed_when: false
   check_mode: false
@@ -54,6 +72,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-82442-5
   - NIST-800-53-CM-6(a)

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 will be requested when the pull request is marked ready for review Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek will be requested when the pull request is marked ready for review vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny will be requested when the pull request is marked ready for review jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

sssd.service fails to start after hardening with ism_o, stig and anssi profiles

1 participant

@Arden97