Parameterize OpenSSH crypto-policy backend file paths via product properties

[Smouhoune]

Description:

  - Add product-overridable properties for OpenSSH crypto-policy backend files:
    - openssh_client_crypto_policy_config_file
    - openssh_server_crypto_policy_config_file
  - Add backward-compatible defaults:
    - /etc/crypto-policies/back-ends/openssh.config
    - /etc/crypto-policies/back-ends/opensshserver.config
  - Replace hardcoded backend paths with product properties in affected SSH/crypto content:
    - sshd_include_crypto_policy
    - sshd_use_approved_kex_ordered_stig (RHEL8/OL8 branch using opensshserver backend file)
    - harden_sshd_crypto_policy
    - harden_sshd_ciphers_openssh_conf_crypto_policy
    - harden_sshd_macs_openssh_conf_crypto_policy
    - harden_sshd_ciphers_opensshserver_conf_crypto_policy
    - harden_sshd_macs_opensshserver_conf_crypto_policy

  #### Rationale:

  - Several rules hardcode OpenSSH crypto-policy backend paths, which prevents clean reuse on products with different filesystem layouts.
  - This change makes backend file paths product-driven while preserving current behavior through explicit defaults.
  - Security intent is unchanged; this PR only parameterizes file locations.

  #### Review Hints:

  - Suggested review order:
    1. core(ssg): add product-overridable OpenSSH crypto-policy backend paths
    2. rules(crypto): replace hardcoded OpenSSH backend paths with product properties
    3. scope(crypto): drop fips symlink path parameterization to keep PR focused
  - Backward compatibility:
    - Products without overrides keep using the current default backend paths.
  - Local validation:
    - ./build_product --datastream-only rhel8
    - ./build_product --datastream-only rhel9
    - ctest -R 'validate-ssg-rhel9-ds.xml' --output-on-failure
  - Scope is intentionally limited to OpenSSH crypto-policy backend path parameterization in the rules listed above. No rule was removed or
  disabled

[openshift-ci]

Hi @Smouhoune. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_custom_crypto_policy_cis' differs.
--- xccdf_org.ssgproject.content_rule_configure_custom_crypto_policy_cis
+++ xccdf_org.ssgproject.content_rule_configure_custom_crypto_policy_cis
@@ -1,30 +1,28 @@
-
-expected_crypto_policy="DEFAULT:NO-SHA1"
 
 
-expected_crypto_policy="${expected_crypto_policy}:NO-SSHCBC"
+
 cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
 cipher@SSH = -*-CBC
 EOF
 
-expected_crypto_policy="${expected_crypto_policy}:NO-SSHWEAKCIPHERS"
+
 cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
 cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
 EOF
 
-expected_crypto_policy="${expected_crypto_policy}:NO-SSHWEAKMACS"
+
 cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
 mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*
 EOF
 
-expected_crypto_policy="${expected_crypto_policy}:NO-WEAKMAC"
+
 cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
 mac = -*-128*
 EOF
 
 
 current_crypto_policy=$(update-crypto-policies --show)
-
+expected_crypto_policy="DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC"
 if [[ "$current_crypto_policy" != "$expected_crypto_policy" ]] ; then
     update-crypto-policies --set "$expected_crypto_policy"
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_custom_crypto_policy_cis' differs.
--- xccdf_org.ssgproject.content_rule_configure_custom_crypto_policy_cis
+++ xccdf_org.ssgproject.content_rule_configure_custom_crypto_policy_cis
@@ -1,16 +1,3 @@
-- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Set the base crypto
-    policy
-  ansible.builtin.set_fact:
-    expected_crypto_policy: DEFAULT:NO-SHA1
-  tags:
-  - CCE-86707-7
-  - configure_custom_crypto_policy_cis
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-
 - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto
     policy module NO-SSHCBC
   ansible.builtin.lineinfile:
@@ -21,19 +8,6 @@
     line: cipher@SSH = -*-CBC
     create: true
     regexp: cipher@SSH
-  tags:
-  - CCE-86707-7
-  - configure_custom_crypto_policy_cis
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-
-- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update the expected
-    policy
-  ansible.builtin.set_fact:
-    expected_crypto_policy: '{{ expected_crypto_policy + '':NO-SSHCBC'' }}'
   tags:
   - CCE-86707-7
   - configure_custom_crypto_policy_cis
@@ -62,19 +36,6 @@
   - medium_severity
   - reboot_required
 
-- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update the expected
-    policy
-  ansible.builtin.set_fact:
-    expected_crypto_policy: '{{ expected_crypto_policy + '':NO-SSHWEAKCIPHERS'' }}'
-  tags:
-  - CCE-86707-7
-  - configure_custom_crypto_policy_cis
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-
 - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto
     policy module NO-SSHWEAKMACS
   ansible.builtin.lineinfile:
@@ -85,19 +46,6 @@
     line: mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*
     create: true
     regexp: mac@SSH
-  tags:
-  - CCE-86707-7
-  - configure_custom_crypto_policy_cis
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-
-- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update the expected
-    policy
-  ansible.builtin.set_fact:
-    expected_crypto_policy: '{{ expected_crypto_policy + '':NO-SSHWEAKMACS'' }}'
   tags:
   - CCE-86707-7
   - configure_custom_crypto_policy_cis
@@ -126,19 +74,6 @@
   - medium_severity
   - reboot_required
 
-- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update the expected
-    policy
-  ansible.builtin.set_fact:
-    expected_crypto_policy: '{{ expected_crypto_policy + '':NO-WEAKMAC'' }}'
-  tags:
-  - CCE-86707-7
-  - configure_custom_crypto_policy_cis
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-
 - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Check current crypto
     policy
   ansible.builtin.command: update-crypto-policies --show
@@ -156,9 +91,8 @@
   - reboot_required
 
 - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update crypto-policies
-  ansible.builtin.command: update-crypto-policies --set {{ expected_crypto_policy
-    }}
-  when: current_crypto_policy.stdout.strip() != expected_crypto_policy
+  ansible.builtin.command: update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC
+  when: current_crypto_policy.stdout.strip() != "DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC"
   tags:
   - CCE-86707-7
   - configure_custom_crypto_policy_cis

bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -1,7 +1,5 @@
 
 sshd_approved_ciphers=''
-
-
 if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
     
     LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -2,9 +2,7 @@
 if rpm --quiet -q kernel-core; then
 
 sshd_approved_ciphers=''
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+CONF_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
 LOCAL_CONF_DIR=/etc/crypto-policies/local.d
 LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
 correct_value="-oCiphers=${sshd_approved_ciphers}"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -1,7 +1,5 @@
 
 sshd_approved_macs=''
-
-
 if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
     
     LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -2,9 +2,7 @@
 if rpm --quiet -q kernel-core; then
 
 sshd_approved_macs=''
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+CONF_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
 LOCAL_CONF_DIR=/etc/crypto-policies/local.d
 LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
 correct_value="-oMACs=${sshd_approved_macs}"

New content has different text for rule 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp'.
--- xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
+++ xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
@@ -3,7 +3,9 @@
 Disable XDMCP in GDM
 
 [description]:
-XDMCP is an unencrypted protocol, and therefore, presents a security risk.
+XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g.
+XDMCP Gnome docs.
+
 To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in /etc/gdm/custom.conf. For example:
 
 [xdmcp]

bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -20,9 +20,11 @@
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
-  # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
 
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
 
+      # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
+      rpm --import "${REDHAT_RELEASE_KEY}"
+    }
   fi
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -99,7 +99,9 @@
   - restrict_strategy
 
 - name: 'Ensure Red Hat GPG Key Installed: Import RedHat GPG key'
-  ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+  ansible.builtin.rpm_key:
+    state: present
+    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
   when:
   - gpg_key_directory_permission.stat.mode <= '0755'
   - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==

bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -1,8 +1,26 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel-core; then
 
-login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$login_banner_contents" > /etc/issue
+read -r -d '' login_banner_text <<'EOF' || true
+
+EOF
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+#    (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$login_banner_text" | fold -sw 80)
+cat <<EOF >/etc/issue
+$formatted
+EOF
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -13,18 +13,18 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-- name: XCCDF Value login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
   set_fact:
-    login_banner_contents: !!str 
+    login_banner_text: !!str 
   tags:
     - always
 
 - name: Modify the System Login Banner - Ensure Correct Banner
   ansible.builtin.copy:
     dest: /etc/issue
-    content: |
-      {{ login_banner_contents | replace('\n', '
-      ') }}
+    content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+      "\n") | regex_replace("\\", "") | wordwrap() }}'
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-80763-6

bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -1,8 +1,26 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel-core; then
 
-remote_login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$remote_login_banner_contents" > /etc/issue.net
+remote_login_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+#    (dod_banners contains the long and short banner)
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$remote_login_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/issue.net
+$formatted
+EOF
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -9,18 +9,18 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-- name: XCCDF Value remote_login_banner_contents # promote to variable
+- name: XCCDF Value remote_login_banner_text # promote to variable
   set_fact:
-    remote_login_banner_contents: !!str 
+    remote_login_banner_text: !!str 
   tags:
     - always
 
 - name: Modify the System Login Banner for Remote Connections - ensure correct banner
   ansible.builtin.copy:
     dest: /etc/issue.net
-    content: |
-      {{ remote_login_banner_contents | replace('\n', '
-      ') }}
+    content: '{{ remote_login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+      "\n") | regex_replace("\\", "") | wordwrap() }}'
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-86147-6

bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -1,8 +1,26 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel-core; then
 
-motd_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$motd_banner_contents" > /etc/motd
+motd_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+#    (dod_banners contains the long and short banner)
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\\//g')
+formatted=$(echo "$motd_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/motd
+$formatted
+EOF
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -9,18 +9,18 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-- name: XCCDF Value motd_banner_contents # promote to variable
+- name: XCCDF Value motd_banner_text # promote to variable
   set_fact:
-    motd_banner_contents: !!str 
+    motd_banner_text: !!str 
   tags:
     - always
 
 - name: Modify the System Message of the Day Banner - ensure correct banner
   ansible.builtin.copy:
     dest: /etc/motd
-    content: |
-      {{ motd_banner_contents | replace('\n', '
-      ') }}
+    content: '{{ motd_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+      "\n") | regex_replace("\\", "") | wordwrap() }}'
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-83496-0

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -1,7 +1,24 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm; then
 
-dconf_login_banner_contents=$(echo "" )
+login_banner_text=''
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+#    (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
+#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
+login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g')
+
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.
 # The assignment assumes that individual filenames don't contain :
@@ -28,7 +45,7 @@
     printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
 fi
 
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${dconf_login_banner_contents}'")"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")"
 if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}"
 then
         sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -13,9 +13,9 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-- name: XCCDF Value dconf_login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
   set_fact:
-    dconf_login_banner_contents: !!str 
+    login_banner_text: !!str 
   tags:
     - always
 
@@ -72,7 +72,9 @@
     dest: /etc/dconf/db/gdm.d/00-security-settings
     section: org/gnome/login-screen
     option: banner-message-text
-    value: '''{{ dconf_login_banner_contents }}'''
+    value: '''{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+      "(n)*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
     create: true
     no_extra_spaces: true
   register: result_ini

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_dnsmasq_removed'.
--- xccdf_org.ssgproject.content_rule_package_dnsmasq_removed
+++ xccdf_org.ssgproject.content_rule_package_dnsmasq_removed
@@ -10,6 +10,9 @@
 
 $ sudo yum erase dnsmasq
 
+[reference]:
+2.1.6
+
 [rationale]:
 Unless a system is specifically designated to act as a DNS
 caching, DNS forwarding and/or DHCP server, it is recommended that the

xccdf_org.ssgproject.content_rule_service_dnsmasq_disabled is missing in new data stream.

[jan-cerny]

I have run test scenarios for selected rules, they passed. I have reviewed the changes in product stability data. LGTM.

[jan-cerny]

@ComplianceAsCode/ubuntu-maintainers @ComplianceAsCode/suse-maintainers @ComplianceAsCode/oracle-maintainers please take a look at this PR

[Smouhoune]

Hi @jan-cerny,

Thanks for your review. I also have two other PRs on the same topic if you could take a look:

#14449

#14445

[jan-cerny]

@Mab879 is assigned to them

[Smouhoune]

Thank you @jan-cerny . I’m not familiar with the process. I thought that pull requests had to be reviewed by all the reviewers. Indeed, Matthew reviewed them.

[Mab879]

@Mab879 is assigned to them

I approved both since they touch the product stability files we will need reviews from the other vendors.