Fix DISA alignment for configure_libreswan_crypto_policy and logind_session_timeout#14477
Open
Arden97 wants to merge 2 commits intoComplianceAsCode:masterfrom
Open
Fix DISA alignment for configure_libreswan_crypto_policy and logind_session_timeout#14477Arden97 wants to merge 2 commits intoComplianceAsCode:masterfrom
Arden97 wants to merge 2 commits intoComplianceAsCode:masterfrom
Conversation
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q kernel-core; then
+if ( ( rpm --quiet -q libreswan && rpm --quiet -q kernel-core ) ); then
function remediate_libreswan_crypto_policy() {
CONFIG_FILE="/etc/ipsec.conf"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -22,7 +22,8 @@
path: /etc/ipsec.conf
line: include /etc/crypto-policies/back-ends/libreswan.config
create: true
- when: '"kernel-core" in ansible_facts.packages'
+ when: ( "libreswan" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
+ )
tags:
- CCE-80937-6
- DISA-STIG-RHEL-08-010280
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy'
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -1 +1,2 @@
+oval:ssg-package_libreswan:def:1
oval:ssg-system_with_kernel:def:1
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -99,7 +99,9 @@
- restrict_strategy
- name: 'Ensure Red Hat GPG Key Installed: Import RedHat GPG key'
- ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+ ansible.builtin.rpm_key:
+ state: present
+ key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$login_banner_contents" > /etc/issue
+read -r -d '' login_banner_text <<'EOF' || true
+
+EOF
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$login_banner_text" | fold -sw 80)
+cat <<EOF >/etc/issue
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -13,18 +13,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
set_fact:
- login_banner_contents: !!str
+ login_banner_text: !!str
tags:
- always
- name: Modify the System Login Banner - Ensure Correct Banner
ansible.builtin.copy:
dest: /etc/issue
- content: |
- {{ login_banner_contents | replace('\n', '
- ') }}
+ content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-80763-6
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-remote_login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$remote_login_banner_contents" > /etc/issue.net
+remote_login_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$remote_login_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/issue.net
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -9,18 +9,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value remote_login_banner_contents # promote to variable
+- name: XCCDF Value remote_login_banner_text # promote to variable
set_fact:
- remote_login_banner_contents: !!str
+ remote_login_banner_text: !!str
tags:
- always
- name: Modify the System Login Banner for Remote Connections - ensure correct banner
ansible.builtin.copy:
dest: /etc/issue.net
- content: |
- {{ remote_login_banner_contents | replace('\n', '
- ') }}
+ content: '{{ remote_login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86147-6
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-motd_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$motd_banner_contents" > /etc/motd
+motd_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\\//g')
+formatted=$(echo "$motd_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/motd
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -9,18 +9,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value motd_banner_contents # promote to variable
+- name: XCCDF Value motd_banner_text # promote to variable
set_fact:
- motd_banner_contents: !!str
+ motd_banner_text: !!str
tags:
- always
- name: Modify the System Message of the Day Banner - ensure correct banner
ansible.builtin.copy:
dest: /etc/motd
- content: |
- {{ motd_banner_contents | replace('\n', '
- ') }}
+ content: '{{ motd_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83496-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -1,7 +1,24 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
-dconf_login_banner_contents=$(echo "" )
+login_banner_text=''
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
+# ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
+login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g')
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
@@ -28,7 +45,7 @@
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${dconf_login_banner_contents}'")"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")"
if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}"
then
sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -13,9 +13,9 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value dconf_login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
set_fact:
- dconf_login_banner_contents: !!str
+ login_banner_text: !!str
tags:
- always
@@ -72,7 +72,9 @@
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-text
- value: '''{{ dconf_login_banner_contents }}'''
+ value: '''{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "(n)*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
create: true
no_extra_spaces: true
register: result_ini
bash remediation for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout' differs.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -3,6 +3,10 @@
var_logind_session_timeout=''
+
+# Remove StopIdleSessionSec from main config
+
+LC_ALL=C sed -i "/^\s*StopIdleSessionSec\s*=/Id" "/etc/systemd/logind.conf"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout' differs.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -25,6 +25,38 @@
var_logind_session_timeout: !!str
tags:
- always
+
+- name: Remove StopIdleSessionSec from main config
+ ansible.builtin.lineinfile:
+ path: /etc/systemd/logind.conf
+ regexp: ^\s*StopIdleSessionSec\s*=
+ state: absent
+ when:
+ - '"kernel-core" in ansible_facts.packages'
+ - ( ansible_distribution == 'RedHat' and ansible_distribution_version is version('8.7',
+ '>=') and ansible_distribution == 'RedHat' and ansible_distribution_version is
+ version('9.0', '!=') ) or ansible_distribution == 'OracleLinux' and ansible_distribution_version
+ is version('8.7', '>=') or ansible_distribution == 'SLES' and ansible_distribution_version
+ is version('15', '>=')
+ tags:
+ - CCE-90784-0
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-08-020035
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSS-Req-8.1.8
+ - logind_session_timeout
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
- name: Set 'StopIdleSessionSec' to '{{ var_logind_session_timeout }}' in the [Login]
section of '/etc/systemd/logind.conf' |
Arden97
force-pushed
the
disa_miss_14453
branch
from
3ade977 to
15c8c66
Compare
Mab879
requested changes
Feb 27, 2026
| <instance datatype="int" operation="greater than or equal">1</instance> | ||
| </textfilecontent54_object> | ||
| <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:mil.disa.stig.ind:obj:25725800" version="3"> | ||
| <filepath>/etc/systemd/logind.conf</filepath> |
Member
There was a problem hiding this comment.
Just create a waiver, don't modify the references. We can ask DISA to fix the content.
Contributor
Author
There was a problem hiding this comment.
- I've reversed this change in 5759ea9
- waivers were added in Adding waivers for DISA misalignment in configure_libreswan_crypto_policy, logind_session_timeout rules RHSecurityCompliance/contest#549
Arden97
force-pushed
the
disa_miss_14453
branch
from
15c8c66 to
5759ea9
Compare
Mab879
approved these changes
Feb 27, 2026
Member
|
/packit build |
1 similar comment
Member
|
/packit build |
Contributor
Author
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR addresses two DISA STIG alignment failures:
configure_libreswan_crypto_policy(SV-279930): Rule now returns "Not Applicable" when libreswan package is not installedlogind_session_timeout(SV-258077): Fixed DISA SCAP check location mismatch and added remediation cleanup to prevent conflictsRationale:
configure_libreswan_crypto_policy:libreswanpackage was not installed because it only checked if the system had a kernellogind_session_timeout:/etc/systemd/logind.conf/etc/systemd/logind.conf.d/Fixes DISA Misalignment for configure_libreswan_crypto_policy and logind_session_timeout rules #14453