Skip to content

Sle16 update sudoers related rules checks and remediations#14698

Draft
teacup-on-rockingchair wants to merge 5 commits intoComplianceAsCode:masterfrom
teacup-on-rockingchair:sle16_update_sudoers_related_rules_checks_n_remediations
Draft

Sle16 update sudoers related rules checks and remediations#14698
teacup-on-rockingchair wants to merge 5 commits intoComplianceAsCode:masterfrom
teacup-on-rockingchair:sle16_update_sudoers_related_rules_checks_n_remediations

Conversation

@teacup-on-rockingchair
Copy link
Copy Markdown
Contributor

@teacup-on-rockingchair teacup-on-rockingchair commented May 7, 2026

Description:

  • Update sudoers related rules checks and remediations for SLE16

Rationale:

  • Check if non-default sed_path_separator is used and add escape to it
  • Add condition for sle16/slmicro6, file is missing by default
  • Update the template for sle16 so
    • if /etc/sudoers is missing always fail the OVAL
      in bash,ansible remediations:
    • copy distro defaults and remove @includedir /usr/etc/sudoers.d before applying real fix
  • Make sure we use sudo_defaults_option implementation and add relevant tests
  • Added same fixes as sudo_defaults_option template and modified/added tests

@teacup-on-rockingchair
Check if non-default sed_path_separator is used and add escape to it
b2295e9 
Make sure the macro lineinfile_absent works ok with lines using forward slash, so the sed can work with those lines&strings
@teacup-on-rockingchair
Add condition for sle16/slmicro6, file is missing by default
4f41aa5
@teacup-on-rockingchair
Update the template for sle16 so
d4450c2 
- if /etc/sudoers is missing always fail the OVAL
in bash,ansible remediations:
- copy distro defaults and remove @includedir /usr/etc/sudoers.d before applying real fix
@teacup-on-rockingchair
Make sure we use sudo_defaults_option implementation and add relevant…
106af1e 
… tests
@teacup-on-rockingchair
added same fixes as sudo_defaults_option template and modified/added …
fe209e3 
…tests
@teacup-on-rockingchair teacup-on-rockingchair added this to the 0.1.81 milestone May 7, 2026
@teacup-on-rockingchair teacup-on-rockingchair added Ansible Ansible remediation update. OVAL OVAL update. Related to the systems assessments. Bash Bash remediation update. SLES SUSE Linux Enterprise Server product related. Update Template Issues or pull requests related to Templates updates. labels May 7, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label May 7, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 7, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -3,7 +3,6 @@
 
 sshd_approved_ciphers=''
 if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
-    
     LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
 else
     touch "/etc/crypto-policies/back-ends/openssh.config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -3,7 +3,6 @@
 
 sshd_approved_macs=''
 if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
-    
     LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
 else
     touch "/etc/crypto-policies/back-ends/openssh.config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout
+++ xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout
@@ -2,6 +2,8 @@
 if rpm --quiet -q kernel-core; then
 
 var_sudo_passwd_timeout=''
+
+
 
 
 if /usr/sbin/visudo -qcf /etc/sudoers; then

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_add_umask' differs.
--- xccdf_org.ssgproject.content_rule_sudo_add_umask
+++ xccdf_org.ssgproject.content_rule_sudo_add_umask
@@ -2,6 +2,8 @@
 if rpm --quiet -q kernel-core; then
 
 var_sudo_umask=''
+
+
 
 
 if /usr/sbin/visudo -qcf /etc/sudoers; then

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_custom_logfile' differs.
--- xccdf_org.ssgproject.content_rule_sudo_custom_logfile
+++ xccdf_org.ssgproject.content_rule_sudo_custom_logfile
@@ -2,6 +2,8 @@
 if rpm --quiet -q kernel-core && { rpm --quiet -q sudo; }; then
 
 var_sudo_logfile=''
+
+
 
 
 if /usr/sbin/visudo -qcf /etc/sudoers; then

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' differs.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -2,6 +2,8 @@
 if rpm --quiet -q kernel-core && { rpm --quiet -q sudo; }; then
 
 var_sudo_timestamp_timeout=''
+
+
 
 
 if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
@@ -19,7 +21,7 @@
             sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
         fi
     fi
-    
+
     # Check validity of sudoers and cleanup bak
     if /usr/sbin/visudo -qcf /etc/sudoers; then
         rm -f /etc/sudoers.bak

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd' differs.
--- xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
+++ xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
@@ -21,7 +21,6 @@
 fi
 
 if [ -e "/etc/sudoers" ] ; then
-    
     LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers"
 else
     touch "/etc/sudoers"
@@ -35,7 +34,6 @@
 # Clean up after ourselves.
 rm "/etc/sudoers.bak"
 if [ -e "/etc/sudoers" ] ; then
-    
     LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers"
 else
     touch "/etc/sudoers"
@@ -49,7 +47,6 @@
 # Clean up after ourselves.
 rm "/etc/sudoers.bak"
 if [ -e "/etc/sudoers" ] ; then
-    
     LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers"
 else
     touch "/etc/sudoers"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enforce_for_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enforce_for_root
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enforce_for_root
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core && { rpm --quiet -q pam; }; then
 
 if [ -e "/etc/security/pwhistory.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwhistory.conf"
 else
     touch "/etc/security/pwhistory.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core && { rpm --quiet -q libpwquality; }; then
 
 if [ -e "/etc/security/pwquality.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf"
 else
     touch "/etc/security/pwquality.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core && { rpm --quiet -q libpwquality; }; then
 
 if [ -e "/etc/security/pwquality.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf"
 else
     touch "/etc/security/pwquality.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -12,7 +12,6 @@
 
 if [[ -z "$current_min_rounds" || "$current_min_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
     if [ -e "/etc/login.defs" ] ; then
-        
         LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
     else
         printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
@@ -30,7 +29,6 @@
 
 if [[ -n "$current_max_rounds" && "$current_max_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
     if [ -e "/etc/login.defs" ] ; then
-        
         LC_ALL=C sed -i "/^\s*SHA_CRYPT_MAX_ROUNDS\s*/Id" "/etc/login.defs"
     else
         printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2

bash remediation for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout' differs.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -5,7 +5,6 @@
 
 
 # Remove StopIdleSessionSec from main config
-
 LC_ALL=C sed -i "/^\s*StopIdleSessionSec\s*=/Id" "/etc/systemd/logind.conf"
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs
@@ -2,7 +2,6 @@
 if ( ( rpm --quiet -q shadow-utils && rpm --quiet -q kernel-core ) ); then
 
 if [ -e "/etc/login.defs" ] ; then
-    
     LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs"
 else
     touch "/etc/login.defs"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
@@ -14,7 +14,6 @@
 find $RSYSLOG_D_FOLDER -type f -name "*.conf" -exec sed -i '/^[[:space:]]*action(/ { :a; N; /)/!ba; /StreamDriverAuthMode/d }' {} +
 
 if [ -e "$RSYSLOG_D_CONF" ] ; then
-    
     LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode\s\+/Id" "$RSYSLOG_D_CONF"
 else
     touch "$RSYSLOG_D_CONF"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
@@ -14,7 +14,6 @@
 find $RSYSLOG_D_FOLDER -type f -name "*.conf" -exec sed -i '/^[[:space:]]*action(/ { :a; N; /)/!ba; /StreamDriverMode/d }' {} +
 
 if [ -e "$RSYSLOG_D_CONF" ] ; then
-    
     LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode\s\+/Id" "$RSYSLOG_D_CONF"
 else
     touch "$RSYSLOG_D_CONF"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
@@ -14,7 +14,6 @@
 find $RSYSLOG_D_FOLDER -type f -name "*.conf" -exec sed -i '/^[[:space:]]*global(/ { :a; N; /)/!ba; /DefaultNetstreamDriver/d }' {} +
 
 if [ -e "$RSYSLOG_D_CONF" ] ; then
-    
     LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver\s\+/Id" "$RSYSLOG_D_CONF"
 else
     touch "$RSYSLOG_D_CONF"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld-backend' differs.
--- xccdf_org.ssgproject.content_rule_firewalld-backend
+++ xccdf_org.ssgproject.content_rule_firewalld-backend
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core && { rpm --quiet -q firewalld; }; then
 
 if [ -e "/etc/firewalld/firewalld.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf"
 else
     touch "/etc/firewalld/firewalld.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -12,7 +12,6 @@
 if [ "$selinux_current_state" != "enforcing" ] && [ "$selinux_current_state" != "permissive" ]; then
     # SELinux is disabled or not configured, set to permissive as a conservative approach
     if [ -e "/etc/selinux/config" ] ; then
-    
     LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
 else
     touch "/etc/selinux/config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -4,7 +4,6 @@
 var_selinux_policy_name=''
 
 if [ -e "/etc/selinux/config" ] ; then
-    
     LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config"
 else
     touch "/etc/selinux/config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_state' differs.
--- xccdf_org.ssgproject.content_rule_selinux_state
+++ xccdf_org.ssgproject.content_rule_selinux_state
@@ -5,7 +5,6 @@
 
 
 if [ -e "/etc/selinux/config" ] ; then
-    
     LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
 else
     touch "/etc/selinux/config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny' differs.
--- xccdf_org.ssgproject.content_rule_fapolicy_default_deny
+++ xccdf_org.ssgproject.content_rule_fapolicy_default_deny
@@ -10,7 +10,6 @@
 chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules
 
 if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf"
 else
     touch "/etc/fapolicyd/fapolicyd.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster' differs.
--- xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
+++ xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/aliases" ] ; then
-    
     LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases"
 else
     touch "/etc/aliases"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' differs.
--- xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
+++ xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
@@ -5,7 +5,6 @@
 
 
 if [ -e "/etc/postfix/main.cf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*inet_interfaces\s\+=\s\+/Id" "/etc/postfix/main.cf"
 else
     touch "/etc/postfix/main.cf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
+++ xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
@@ -17,7 +17,6 @@
 done
 
 if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
 else
     touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -4,7 +4,6 @@
 var_sshd_set_keepalive=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -4,7 +4,6 @@
 sshd_idle_timeout_value=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core && { ( rpm --quiet -q openssh-server && { real="$(epoch=$(rpm -q --queryformat '%{EPOCH}' openssh-server); version=$(rpm -q --queryformat '%{VERSION}' openssh-server); [ "$epoch" = "(none)" ] && echo "0:$version" || echo "$epoch:$version")"; expected="0:7.0"; [[ "$real" != "$expected" ]] && printf "%s\n%s" "$real" "$expected" | sort -VC; } ); }; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*Protocol\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -4,7 +4,6 @@
 var_sshd_disable_compression=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_forwarding
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*DisableForwarding\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*RhostsRSAAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -7,7 +7,6 @@
 
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -4,7 +4,6 @@
 var_sshd_set_login_grace_time=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -4,7 +4,6 @@
 sshd_max_auth_tries_value=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -4,7 +4,6 @@
 var_sshd_max_sessions=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -4,7 +4,6 @@
 var_sshd_set_maxstartups=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
+++ xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
@@ -6,7 +6,6 @@
 
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -4,7 +4,6 @@
 var_sshd_priv_separation=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
@@ -4,7 +4,6 @@
 sshd_strong_kex=''
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*KexAlgorithms\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -6,7 +6,6 @@
 
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/sysconfig/sshd" ] ; then
-    
     LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd"
 else
     touch "/etc/sysconfig/sshd"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
-    
     LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -2,7 +2,6 @@
 if ( ! ( grep -sqE "^.*\.s390x$" /proc/sys/kernel/osrelease || grep -sqE "^s390x$" /proc/sys/kernel/arch; ) && rpm --quiet -q kernel-core ) && { rpm --quiet -q usbguard; }; then
 
 if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then
-    
     LC_ALL=C sed -i "/^[ \\t]*AuditBackend=/Id" "/etc/usbguard/usbguard-daemon.conf"
 else
     touch "/etc/usbguard/usbguard-daemon.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
@@ -9,7 +9,6 @@
 
 
 if [ -e "$AUDITCONFIG" ] ; then
-    
     LC_ALL=C sed -i "/^\s*remote_server\s*=\s*/Id" "$AUDITCONFIG"
 else
     printf '%s\n' "Path '$AUDITCONFIG' wasn't found on this system. Refusing to continue." >&2

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_freq' differs.
--- xccdf_org.ssgproject.content_rule_auditd_freq
+++ xccdf_org.ssgproject.content_rule_auditd_freq
@@ -6,7 +6,6 @@
 
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf"
 else
     touch "/etc/audit/auditd.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_local_events' differs.
--- xccdf_org.ssgproject.content_rule_auditd_local_events
+++ xccdf_org.ssgproject.content_rule_auditd_local_events
@@ -2,7 +2,6 @@
 if rpm --quiet -q audit && rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf"
 else
     touch "/etc/audit/auditd.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_log_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_log_format
+++ xccdf_org.ssgproject.content_rule_auditd_log_format
@@ -2,7 +2,6 @@
 if rpm --quiet -q audit && rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf"
 else
     touch "/etc/audit/auditd.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_name_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_name_format
+++ xccdf_org.ssgproject.content_rule_auditd_name_format
@@ -7,7 +7,6 @@
 var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf"
 else
     touch "/etc/audit/auditd.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_overflow_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_overflow_action
+++ xccdf_org.ssgproject.content_rule_auditd_overflow_action
@@ -2,7 +2,6 @@
 if rpm --quiet -q audit && rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf"
 else
     touch "/etc/audit/auditd.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_write_logs' differs.
--- xccdf_org.ssgproject.content_rule_auditd_write_logs
+++ xccdf_org.ssgproject.content_rule_auditd_write_logs
@@ -2,7 +2,6 @@
 if rpm --quiet -q audit && rpm --quiet -q kernel-core; then
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
-    
     LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf"
 else
     touch "/etc/audit/auditd.conf"

jan-cerny
jan-cerny reviewed May 7, 2026
View reviewed changes
Comment thread shared/templates/sudo_defaults_option/ansible.template
line: 'Defaults {{{ OPTION }}}'
validate: /usr/sbin/visudo -cf %s
{{% if product in [ 'sle16', 'slmicro6' ] %}}
when: not ansible_check_mode
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this depend on existence of /etc/sudoers instead of depending on check mode?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 will be requested when the pull request is marked ready for review Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek will be requested when the pull request is marked ready for review vojtapolasek is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Ansible Ansible remediation update. Bash Bash remediation update. do-not-merge/work-in-progress Used by openshift-ci bot. OVAL OVAL update. Related to the systems assessments. SLES SUSE Linux Enterprise Server product related. Update Template Issues or pull requests related to Templates updates.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

2 participants

@teacup-on-rockingchair @jan-cerny