From b136bacf1b7c4806789788aec8b65f4afc5c7664 Mon Sep 17 00:00:00 2001 From: Arden97 Date: Fri, 27 Feb 2026 11:15:13 +0100 Subject: [PATCH 1/2] add libreswan to platform for configure_libreswan_crypto_policy --- .../integrity/crypto/configure_libreswan_crypto_policy/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml index 8a14c3de7d55..f568fb714d9f 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml @@ -67,4 +67,4 @@ fixtext: |- srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' -platform: system_with_kernel +platform: system_with_kernel and package[libreswan] From 299faecb04b464d3c5ca7c94f0faf1fa71fb36b0 Mon Sep 17 00:00:00 2001 From: Arden97 Date: Tue, 3 Mar 2026 14:43:32 +0100 Subject: [PATCH 2/2] clear entries before logind_session_timeout remediation --- .../logind_session_timeout/ansible/shared.yml | 15 +++++++++++++++ .../logind_session_timeout/bash/shared.sh | 5 +++++ 2 files changed, 20 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml index 8a2608c93e68..bb1894435ae8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml @@ -6,7 +6,22 @@ {{{ ansible_instantiate_variables("var_logind_session_timeout") }}} +- name: Remove StopIdleSessionSec from main config + ansible.builtin.lineinfile: + path: /etc/systemd/logind.conf + regexp: '^\s*StopIdleSessionSec\s*=' + state: absent + {{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}} + +- name: Remove StopIdleSessionSec from drop-in files + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^\s*StopIdleSessionSec\s*=' + state: absent + with_fileglob: + - /etc/systemd/logind.conf.d/*.conf + # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh index cba93b6e8891..ea7d0c1caea4 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh @@ -2,10 +2,15 @@ {{{ bash_instantiate_variables("var_logind_session_timeout") }}} +# Remove StopIdleSessionSec from main config +{{{ lineinfile_absent("/etc/systemd/logind.conf", "^\s*StopIdleSessionSec\s*=", insensitive=true, rule_id=rule_id) }}} + {{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}} # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} mkdir -p "/etc/systemd/logind.conf.d/" +# remove StopIdleSessionSec from drop-in files +{{{ lineinfile_absent_in_directory("/etc/systemd/logind.conf.d", "^\s*StopIdleSessionSec\s*=", insensitive=true, filename_glob="*.conf") | indent(4) }}} {{% else %}} {{% set logind_conf_file = "/etc/systemd/logind.conf" %}} {{% endif %}}