Add default domain to SSSD related remediations and fix Fedora test failures

[Arden97]

Description:

• updating ansible and bash remediations for some sssd related rules to use default domain
• adding new macros ansible_sssd_ensure_default_domain and bash_sssd_ensure_default_domain

Rationale:

• add default domain configuration to some SSSD related remediations, because when remediation configure SSSD settings (e.g., pam_cert_auth, certificate_verification, user), SSSD won't start if no domain is defined
• for sssd_enable_smartcards tests, authselect package has to be installed and configured to use sssd, because default profile is local, which has no with-smartcard feature
• sssd_run_as_sssd_user remediation fails on wrong_value.fail.sh test
  • the wrong_value.fail.sh test creates user=sssd + user=bob in the same section, then bash_ensure_ini_config finds user=sssd already matching, skips the sed and leaves user=bob untouched
  • update bash_ensure_ini_config macro to remove duplicated keys during remediation
• Fixes sssd.service fails to start after hardening with ism_o, stig and anssi profiles #14559

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwayland_disabled' differs.
--- xccdf_org.ssgproject.content_rule_xwayland_disabled
+++ xccdf_org.ssgproject.content_rule_xwayland_disabled
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_compress' differs.
--- xccdf_org.ssgproject.content_rule_journald_compress
+++ xccdf_org.ssgproject.content_rule_journald_compress
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_storage' differs.
--- xccdf_org.ssgproject.content_rule_journald_storage
+++ xccdf_org.ssgproject.content_rule_journald_storage
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
+++ xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -26,6 +26,8 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -9,12 +9,64 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+    found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+            sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+    cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
+MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf"
 
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
@@ -36,11 +88,13 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[sssd]\ncertificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -16,6 +16,92 @@
     var_sssd_certificate_verification_digest_function: !!str 
   tags:
     - always
+
+- name: Certificate status checking in SSSD - Ensure sssd config directory exists
+  ansible.builtin.file:
+    path: /etc/sssd
+    state: directory
+    mode: '0755'
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
+
+- name: Certificate status checking in SSSD - Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+  register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
+
+- name: Certificate status checking in SSSD - Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
+
+- name: Certificate status checking in SSSD - Add default domain group (if no domain
+    there)
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    section: '{{ item.section }}'
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: true
+    mode: 384
+  with_items:
+  - section: sssd
+    option: domains
+    value: default
+  - section: domain/default
+    option: id_provider
+    value: files
+  when:
+  - '"sssd-common" in ansible_facts.packages'
+  - test_grep_domain.stdout is defined
+  - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
+  tags:
+  - CCE-86120-3
+  - DISA-STIG-RHEL-08-010400
+  - NIST-800-53-IA-2(11)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_certificate_verification
 
 - name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
   community.general.ini_file:
@@ -36,7 +122,7 @@
   - no_reboot_needed
   - sssd_certificate_verification
 
-- name: Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf
   community.general.ini_file:
     path: /etc/sssd/conf.d/*.conf
     section: sssd

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -7,16 +7,60 @@
 umask u=rw,go=
 
 SSSD_CONF="/etc/sssd/sssd.conf"
-SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
-
-if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
-    mkdir -p /etc/sssd
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
     touch "$SSSD_CONF"
 fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+    found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+            sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+    cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
 
 # Flag to check if there is already services with pam
 service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
+for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
 	if [ ! -e "$f" ]; then
 		continue
 	fi
@@ -38,13 +82,43 @@
 
 # If there was no service in [sssd], add it to first config
 if [ "$service_already_exist" = false ]; then
-    for f in $SSSD_CONF $SSSD_CONF_DIR; do
-        cat << EOF >> "$f"
-[sssd]
-services = pam
-EOF
-        break
-    done
+found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*services" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*services[[:space:]]*=[[:space:]]*pam" "$f"; then
+
+            sed -i "/^[[:space:]]*services/s/\([[:blank:]]*=[[:blank:]]*\).*/\1pam/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a services=pam" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\nservices=pam" >> "$file"
+
+fi
 fi
 
 umask $OLD_UMASK

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -12,11 +12,96 @@
   - no_reboot_needed
   - sssd_enable_pam_services
 
-- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Ensure sssd config directory exists
+  ansible.builtin.file:
+    path: /etc/sssd
+    state: directory
+    mode: '0755'
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+  register: test_grep_domain
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Add default domain group (if no domain there)
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    section: '{{ item.section }}'
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: true
+    mode: 384
+  with_items:
+  - section: sssd
+    option: domains
+    value: default
+  - section: domain/default
+    option: id_provider
+    value: files
+  when:
+  - '"sssd-common" in ansible_facts.packages'
+  - test_grep_domain.stdout is defined
+  - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
+  tags:
+  - CCE-82446-6
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-2(1)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d
     directory
   ansible.builtin.find:
     paths:
-    - /etc/sssd/conf.d/
+    - /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -31,7 +116,7 @@
   - no_reboot_needed
   - sssd_enable_pam_services
 
-- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d
     directory
   ansible.builtin.replace:
     path: '{{ item }}'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -6,10 +6,62 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+    found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+            sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+    cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
@@ -31,11 +83,13 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[pam]\npam_cert_auth=True" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -12,7 +12,24 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Test for domain group
+- name: Enable Smartcards in SSSD - Ensure sssd config directory exists
+  ansible.builtin.file:
+    path: /etc/sssd
+    state: directory
+    mode: '0755'
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80909-5
+  - DISA-STIG-RHEL-08-020250
+  - PCI-DSS-Req-8.3
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_smartcards
+
+- name: Enable Smartcards in SSSD - Test for domain group in main config
   ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
   failed_when: false
@@ -30,7 +47,25 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Add default domain group (if no domain there)
+- name: Enable Smartcards in SSSD - Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80909-5
+  - DISA-STIG-RHEL-08-020250
+  - PCI-DSS-Req-8.3
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_enable_smartcards
+
+- name: Enable Smartcards in SSSD - Add default domain group (if no domain there)
   community.general.ini_file:
     path: /etc/sssd/sssd.conf
     section: '{{ item.section }}'
@@ -49,6 +84,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-80909-5
   - DISA-STIG-RHEL-08-020250
@@ -80,9 +117,9 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
   ansible.builtin.find:
-    paths: /etc/sssd/conf.d/
+    paths: /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -97,7 +134,7 @@
   - no_reboot_needed
   - sssd_enable_smartcards
 
-- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d
   ansible.builtin.replace:
     path: '{{ item.path }}'
     regexp: '[^#]*pam_cert_auth.*'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -9,10 +9,62 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+    found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+            sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+    cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
     if [ ! -e "$f" ]; then
         continue
     fi
@@ -34,11 +86,13 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[nss]\nmemcache_timeout=$var_sssd_memcache_timeout" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -17,8 +17,25 @@
   tags:
     - always
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Configure SSSD's Memory Cache to Expire - Ensure sssd config directory exists
+  ansible.builtin.file:
+    path: /etc/sssd
+    state: directory
+    mode: '0755'
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80910-3
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_memcache_timeout
+  - unknown_strategy
+
+- name: Configure SSSD's Memory Cache to Expire - Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
   failed_when: false
   changed_when: false
@@ -35,7 +52,26 @@
   - sssd_memcache_timeout
   - unknown_strategy
 
-- name: Add default domain group (if no domain there)
+- name: Configure SSSD's Memory Cache to Expire - Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-80910-3
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_memcache_timeout
+  - unknown_strategy
+
+- name: Configure SSSD's Memory Cache to Expire - Add default domain group (if no
+    domain there)
   community.general.ini_file:
     path: /etc/sssd/sssd.conf
     section: '{{ item.section }}'
@@ -54,6 +90,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-80910-3
   - NIST-800-53-CM-6(a)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -6,10 +6,62 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+    found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+            sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+    cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
@@ -31,11 +83,13 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[pam]\noffline_credentials_expiration=1" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -13,8 +13,28 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Configure SSSD to Expire Offline Credentials - Ensure sssd config directory
+    exists
+  ansible.builtin.file:
+    path: /etc/sssd
+    state: directory
+    mode: '0755'
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82460-7
+  - DISA-STIG-RHEL-08-020290
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_offline_cred_expiration
+
+- name: Configure SSSD to Expire Offline Credentials - Test for domain group in main
+    config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
   failed_when: false
   changed_when: false
@@ -32,7 +52,27 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Add default domain group (if no domain there)
+- name: Configure SSSD to Expire Offline Credentials - Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82460-7
+  - DISA-STIG-RHEL-08-020290
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_offline_cred_expiration
+
+- name: Configure SSSD to Expire Offline Credentials - Add default domain group (if
+    no domain there)
   community.general.ini_file:
     path: /etc/sssd/sssd.conf
     section: '{{ item.section }}'
@@ -51,6 +91,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-82460-7
   - DISA-STIG-RHEL-08-020290
@@ -84,9 +126,9 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
   ansible.builtin.find:
-    paths: /etc/sssd/conf.d/
+    paths: /etc/sssd/conf.d
     patterns: '*.conf'
   register: sssd_conf_d_files
   when: '"sssd-common" in ansible_facts.packages'
@@ -102,7 +144,7 @@
   - no_reboot_needed
   - sssd_offline_cred_expiration
 
-- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/
+- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d
   ansible.builtin.replace:
     path: '{{ item.path }}'
     regexp: '[^#]*offline_credentials_expiration.*'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -1,17 +1,69 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q sssd-common; then
-
-MAIN_CONF="/etc/sssd/conf.d/ospp.conf"
 
 # sssd configuration files must be created with 600 permissions if they don't exist
 # otherwise the sssd module fails to start
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+    found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+            sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+    cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
+MAIN_CONF="$SSSD_CONF_DIR/ospp.conf"
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
     if [ ! -e "$f" ]; then
         continue
     fi
@@ -33,11 +85,18 @@
 
             found=true
     fi
+
+
+    # within [sssd], remove entries where user has wrong value
+
+    sed -i "/^[[:space:]]*\[sssd\]/,/^[[:space:]]*\[/{/^[[:space:]]*user[[:blank:]]*=/{ /=[[:blank:]]*sssd/!d }}" "$f"
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[sssd]\nuser=sssd" >> "$file"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -9,10 +9,62 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+    touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+    found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+            sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+        fi
+
+        found=true
+
+    # find section and add key = value to it
+    elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+            sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+            found=true
+    fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+
+    echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+    cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
 found=false
 
 # set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
     if [ ! -e "$f" ]; then
         continue
     fi
@@ -34,11 +86,13 @@
 
             found=true
     fi
+
+
 done
 
 # if section not in any file, append section with key = value to FIRST file in files parameter
 if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
 
     echo -e "[ssh]\nssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" >> "$file"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -17,8 +17,25 @@
   tags:
     - always
 
-- name: Test for domain group
-  ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Configure SSSD to Expire SSH Known Hosts - Ensure sssd config directory exists
+  ansible.builtin.file:
+    path: /etc/sssd
+    state: directory
+    mode: '0755'
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82442-5
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_ssh_known_hosts_timeout
+  - unknown_strategy
+
+- name: Configure SSSD to Expire SSH Known Hosts - Test for domain group in main config
+  ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
   failed_when: false
   changed_when: false
@@ -35,7 +52,26 @@
   - sssd_ssh_known_hosts_timeout
   - unknown_strategy
 
-- name: Add default domain group (if no domain there)
+- name: Configure SSSD to Expire SSH Known Hosts - Test for domain group in conf.d
+  ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+  register: test_grep_domain_conf_d
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  when: '"sssd-common" in ansible_facts.packages'
+  tags:
+  - CCE-82442-5
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-IA-5(13)
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - sssd_ssh_known_hosts_timeout
+  - unknown_strategy
+
+- name: Configure SSSD to Expire SSH Known Hosts - Add default domain group (if no
+    domain there)
   community.general.ini_file:
     path: /etc/sssd/sssd.conf
     section: '{{ item.section }}'
@@ -54,6 +90,8 @@
   - '"sssd-common" in ansible_facts.packages'
   - test_grep_domain.stdout is defined
   - test_grep_domain.stdout | length < 1
+  - test_grep_domain_conf_d.stdout is defined
+  - test_grep_domain_conf_d.stdout | length < 1
   tags:
   - CCE-82442-5
   - NIST-800-53-CM-6(a)

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[jan-cerny]

This is suspicious. These are parameters of the macro. Unless there is something magic you don't need to specify this. It's enough to normally describe the parameters as you did.

[jan-cerny]

Add a parameter for rule title and use it in Ansible Task names so that the names contain the title of the rule they belong to.

[jan-cerny]

we should use false consistently

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.