diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index d0ee43fb1b74..1de4f43b4966 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -259,6 +259,8 @@
- **filepath** - File path to be checked. If the file path ends
with `/` it describes a directory. Can also be a list of paths.
+ If **file_regex** is not specified, the rule will only check
+ and remediate directories.
- **filepath_is_regex** - If set to `"true"` the OVAL will
consider the value of **filepath** as a regular expression.
@@ -294,6 +296,8 @@ they must be of the same length.
- **filepath** - File path to be checked. If the file path ends
with `/` it describes a directory. Can also be a list of paths.
+ If **file_regex** is not specified, the rule will only check
+ and remediate directories.
- **filepath_is_regex** - If set to `"true"` the OVAL will
consider the value of **filepath** as a regular expression.
@@ -329,6 +333,8 @@ they must be of the same length.
- **filepath** - File path to be checked. If the file path ends
with `/` it describes a directory. Can also be a list of paths.
+ If **file_regex** is not specified, the rule will only check
+ and remediate directories.
- **filepath_is_regex** - If set to `"true"` the OVAL will
consider the value of **filepath** as a regular expression.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
index 1fd016a87e12..180ded56be55 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
@@ -8,14 +8,19 @@
- nobody
+ .*
state_accounts_users_home_files_groupownership_interactive_gids
+ state_accounts_users_home_files_groupownership_user_list
{{{ gid_min }}}
+
+ ^{{{ user_list }}}$
+
+
- nobody
+ .*
state_accounts_users_home_files_ownership_interactive_uids
+ state_accounts_users_home_files_ownership_user_list
{{{ uid_min }}}
+
+ ^{{{ user_list }}}$
+
+
- nobody
+ .*
state_accounts_users_home_files_permissions_interactive_uids
+ state_accounts_users_home_files_permissions_user_list
{{{ uid_min }}}
+
+ ^{{{ user_list }}}$
+
+
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
index a1d1f2ef52e7..ed2b14b0c7f7 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
@@ -12,14 +12,19 @@
- nobody
+ .*
state_file_groupownership_home_directories_interactive_gids
+ state_file_permissions_groupownership_user_list
{{{ gid_min }}}
+
+ ^{{{ user_list }}}$
+
+
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
index 3d0b9aecbae3..d6f604f37b51 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
@@ -21,8 +21,9 @@
create local variables composed by UIDs e Home Dirs.
-->
- nobody
+ .*
state_file_ownership_home_directories_interactive_uids
+ state_file_ownership_home_directories_user_list
- nobody
+ .*
state_file_permissions_home_directories_interactive_uids
+ state_file_permissions_home_files_permissions_user_list
{{{ uid_min }}}
+
+ ^{{{ user_list }}}$
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
index b6bc18e8310f..c22f6f8b0a4e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
@@ -69,5 +69,6 @@ template:
- /lib64/
- /usr/lib/
- /usr/lib64/
+ recursive: 'true'
file_regex: ^.*$
fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh
new file mode 100644
index 000000000000..b6f1634368cd
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+useradd user_test
+
+TESTDIR="/usr/lib/dir/"
+
+mkdir $TESTDIR
+touch $TESTDIR/test_me
+chown user_test $TESTDIR/test_me
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh
new file mode 100644
index 000000000000..51bc6fe2d717
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+useradd user_test
+
+TESTDIR="/usr/lib/"
+
+# The check ignores this symlink and results in pass
+ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink
+chown -h user_test $TESTDIR/faulty_symlink
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
index 5a708cf78c33..8535a3f10fe3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
@@ -70,5 +70,6 @@ template:
- /lib64/
- /usr/lib/
- /usr/lib64/
+ recursive: 'true'
file_regex: ^.*$
filemode: '0755'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
index 913e75e7b178..7b0320fce482 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
@@ -2,6 +2,5 @@
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
- find "$dirPath" -type d -exec chmod go-w '{}' \;
find "$dirPath" -type f -exec chmod go+w '{}' \;
done
diff --git a/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml
new file mode 100644
index 000000000000..94428d19dc0e
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8
+
+title: 'Uninstall libreport-plugin-logger Package'
+
+description: |-
+ {{{ describe_package_remove(package="libreport-plugin-logger") }}}
+
+rationale: |-
+ libreport-plugin-logger is a ABRT plugin to report bugs into the
+ Red Hat Support system.
+
+severity: low
+
+identifiers:
+ cce@rhel8: CCE-89201-8
+
+references:
+ disa: CCI-000381
+ srg: SRG-OS-000095-GPOS-00049
+ stigid@ol8: OL08-00-040001
+ stigid@rhel8: RHEL-08-040001
+
+{{{ complete_ocil_entry_package(package="libreport-plugin-logger") }}}
+
+template:
+ name: package_removed
+ vars:
+ pkgname: libreport-plugin-logger
diff --git a/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml
new file mode 100644
index 000000000000..8ca0488c7956
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8
+
+title: 'Uninstall libreport-plugin-rhtsupport Package'
+
+description: |-
+ {{{ describe_package_remove(package="libreport-plugin-rhtsupport") }}}
+
+rationale: |-
+ libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the
+ Red Hat Support system.
+
+severity: low
+
+identifiers:
+ cce@rhel8: CCE-88955-0
+
+references:
+ disa: CCI-000381
+ srg: SRG-OS-000095-GPOS-00049
+ stigid@ol8: OL08-00-040001
+ stigid@rhel8: RHEL-08-040001
+
+{{{ complete_ocil_entry_package(package="libreport-plugin-rhtsupport") }}}
+
+template:
+ name: package_removed
+ vars:
+ pkgname: libreport-plugin-rhtsupport
diff --git a/products/ol8/profiles/ospp.profile b/products/ol8/profiles/ospp.profile
index b6fcfbf28d6e..0a4958dcdc2c 100644
--- a/products/ol8/profiles/ospp.profile
+++ b/products/ol8/profiles/ospp.profile
@@ -199,10 +199,12 @@ selections:
- package_nfs-utils_removed
- package_krb5-workstation_removed
- package_abrt-addon-kerneloops_removed
- - package_abrt-addon-python_removed
+ - package_python3-abrt-addon_removed
- package_abrt-addon-ccpp_removed
- package_abrt-plugin-sosreport_removed
- package_abrt-cli_removed
+ - package_libreport-plugin-rhtsupport_removed
+ - package_libreport-plugin-logger_removed
- package_abrt_removed
### Login
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 4e033856b3d9..c20e1574ffc4 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -210,6 +210,8 @@ selections:
- package_abrt-addon-ccpp_removed
- package_abrt-plugin-sosreport_removed
- package_abrt-cli_removed
+ - package_libreport-plugin-rhtsupport_removed
+ - package_libreport-plugin-logger_removed
- package_abrt_removed
### Login
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 35be32dbf16c..82ef3d2425eb 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -931,6 +931,8 @@ selections:
- package_python3-abrt-addon_removed
- package_abrt-cli_removed
- package_abrt-plugin-sosreport_removed
+ - package_libreport-plugin-rhtsupport_removed
+ - package_libreport-plugin-logger_removed
# RHEL-08-040002
- package_sendmail_removed
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index ce86b172b700..6771ae5f6a82 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -22,11 +22,11 @@ dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
pkg_release: "4ae0493b"
pkg_version: "fd431d51"
-aux_pkg_release: "5b32db75"
-aux_pkg_version: "d4082792"
+aux_pkg_release: "6229229e"
+aux_pkg_version: "5a6340b3"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
-auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3"
oval_feed_url: "https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2"
cpes_root: "../../shared/applicability"
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index e9eac999a46d..01f39e005320 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -902,3 +902,12 @@
{{%- endif %}}
{{%- endmacro %}}
+
+{{#
+ User list in form of regex that are excluded when checking user home directory permissions and ownerships.
+#}}
+{{%- if product in ["rhel7", "ol7"] %}}
+ {{%- set user_list="(nobody|nfsnobody)" %}}
+{{%- else %}}
+ {{%- set user_list="nobody" %}}
+{{%- endif %}}
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 2432cc874542..e9ec9e6354a1 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2854,7 +2854,6 @@ CCE-88951-9
CCE-88952-7
CCE-88953-5
CCE-88954-3
-CCE-88955-0
CCE-88956-8
CCE-88957-6
CCE-88958-4
@@ -3085,7 +3084,6 @@ CCE-89197-8
CCE-89198-6
CCE-89199-4
CCE-89200-0
-CCE-89201-8
CCE-89202-6
CCE-89203-4
CCE-89204-2
diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
index 0b4ab594155c..316b89f34f72 100644
--- a/shared/templates/file_groupowner/ansible.template
+++ b/shared/templates/file_groupowner/ansible.template
@@ -5,13 +5,18 @@
# disruption = low
{{% for path in FILEPATH %}}
-{{% if IS_DIRECTORY and FILE_REGEX %}}
+{{% if IS_DIRECTORY %}}
+{{% if FILE_REGEX %}}
+
+- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}}
-- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
find:
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+{{% if RECURSIVE %}}
+ recurse: yes
+{{% endif %}}
hidden: yes
register: files_found
@@ -19,18 +24,23 @@
file:
path: "{{ item.path }}"
group: "{{{ FILEGID }}}"
+ state: file
+ when: item.gid != {{{ FILEGID }}}
with_items:
- "{{ files_found.files }}"
-{{% elif IS_DIRECTORY and RECURSIVE %}}
+{{% else %}}
-- name: Ensure group owner on {{{ path }}} recursively
+- name: Ensure group owner on {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}}
file:
path: "{{{ path }}}"
state: directory
+{{% if RECURSIVE %}}
recurse: yes
+{{% endif %}}
group: "{{{ FILEGID }}}"
+{{% endif %}}
{{% else %}}
- name: Test for existence {{{ path }}}
diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template
index 982d2f3c6a61..a7133d28c632 100644
--- a/shared/templates/file_groupowner/bash.template
+++ b/shared/templates/file_groupowner/bash.template
@@ -4,17 +4,25 @@
# complexity = low
# disruption = low
+{{%- if RECURSIVE %}}
+{{% set FIND_RECURSE_ARGS="" %}}
+{{%- else %}}
+{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}}
+{{%- endif %}}
+
{{% for path in FILEPATH %}}
-{{% if IS_DIRECTORY and FILE_REGEX %}}
-readarray -t files < <(find {{{ path }}})
+{{%- if IS_DIRECTORY %}}
+{{%- if FILE_REGEX %}}
+readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -gid {{{ FILEGID }}})
for file in "${files[@]}"; do
- if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
- chgrp {{{ FILEGID }}} $file
+ if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
+ chgrp {{{ FILEGID }}} "$file"
fi
done
-{{% elif IS_DIRECTORY and RECURSIVE %}}
-find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
{{% else %}}
+find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
+{{%- endif %}}
+{{%- else %}}
chgrp {{{ FILEGID }}} {{{ path }}}
-{{% endif %}}
+{{%- endif %}}
{{% endfor %}}
diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
index 64a494471a88..276965ad77ca 100644
--- a/shared/templates/file_groupowner/oval.template
+++ b/shared/templates/file_groupowner/oval.template
@@ -32,14 +32,14 @@
{{%- if IS_DIRECTORY -%}}
- {{%- if FILE_REGEX %}}
+ {{%- if RECURSIVE %}}
+ ^{{{ filepath[:-1] }}}
+ {{%- else %}}
{{{ filepath[:-1] }}}
+ {{%- endif %}}
+ {{%- if FILE_REGEX %}}
{{{ FILE_REGEX[loop.index0] }}}
- {{%- elif RECURSIVE %}}
- {{{ filepath[:-1] }}}
-
{{%- else %}}
- {{{ filepath[:-1] }}}
{{%- endif %}}
{{%- else %}}
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
index dba9e65a2774..bf36faca54c7 100644
--- a/shared/templates/file_owner/ansible.template
+++ b/shared/templates/file_owner/ansible.template
@@ -5,32 +5,42 @@
# disruption = low
{{% for path in FILEPATH %}}
-{{% if IS_DIRECTORY and FILE_REGEX %}}
+{{% if IS_DIRECTORY %}}
+{{% if FILE_REGEX %}}
+
+- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}}
-- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
find:
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+{{% if RECURSIVE %}}
+ recurse: yes
+{{% endif %}}
hidden: yes
register: files_found
-- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
+- name: Ensure owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
file:
path: "{{ item.path }}"
owner: "{{{ FILEUID }}}"
+ state: file
+ when: item.uid != {{{ FILEUID }}}
with_items:
- "{{ files_found.files }}"
-{{% elif IS_DIRECTORY and RECURSIVE %}}
+{{% else %}}
-- name: Ensure owner on {{{ path }}} recursively
+- name: Ensure owner on directory {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}}
file:
path: "{{{ path }}}"
state: directory
+{{% if RECURSIVE %}}
recurse: yes
+{{% endif %}}
owner: "{{{ FILEUID }}}"
+{{% endif %}}
{{% else %}}
- name: Test for existence {{{ path }}}
diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template
index 27b5a2addbf7..83a53b9d2432 100644
--- a/shared/templates/file_owner/bash.template
+++ b/shared/templates/file_owner/bash.template
@@ -4,17 +4,25 @@
# complexity = low
# disruption = low
+{{%- if RECURSIVE %}}
+{{% set FIND_RECURSE_ARGS="" %}}
+{{%- else %}}
+{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}}
+{{%- endif %}}
+
{{% for path in FILEPATH %}}
-{{% if IS_DIRECTORY and FILE_REGEX %}}
-readarray -t files < <(find {{{ path }}})
+{{%- if IS_DIRECTORY %}}
+{{%- if FILE_REGEX %}}
+readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -uid {{{ FILEUID }}})
for file in "${files[@]}"; do
- if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
- chown {{{ FILEUID }}} $file
+ if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
+ chown {{{ FILEUID }}} "$file"
fi
done
-{{% elif IS_DIRECTORY and RECURSIVE %}}
-find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
-{{% else %}}
+{{%- else %}}
+find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chown {{{ FILEUID }}} {} \;
+{{%- endif %}}
+{{%- else %}}
chown {{{ FILEUID }}} {{{ path }}}
-{{% endif %}}
+{{%- endif %}}
{{% endfor %}}
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
index 777831d790d2..090ea49863a6 100644
--- a/shared/templates/file_owner/oval.template
+++ b/shared/templates/file_owner/oval.template
@@ -31,14 +31,14 @@
{{%- if IS_DIRECTORY -%}}
- {{%- if FILE_REGEX %}}
+ {{%- if RECURSIVE %}}
+ ^{{{ filepath[:-1] }}}
+ {{%- else %}}
{{{ filepath[:-1] }}}
+ {{%- endif %}}
+ {{%- if FILE_REGEX %}}
{{{ FILE_REGEX[loop.index0] }}}
- {{%- elif RECURSIVE %}}
- {{{ filepath[:-1] }}}
-
{{%- else %}}
- {{{ filepath[:-1] }}}
{{%- endif %}}
{{%- else %}}
diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
index 6d4dedcee511..80753f4fcf4c 100644
--- a/shared/templates/file_permissions/ansible.template
+++ b/shared/templates/file_permissions/ansible.template
@@ -5,13 +5,18 @@
# disruption = low
{{% for path in FILEPATH %}}
-{{% if IS_DIRECTORY and FILE_REGEX %}}
+{{% if IS_DIRECTORY %}}
+{{% if FILE_REGEX %}}
+
+- name: Find {{{ path }}} file(s){{% if RECURSIVE %}} recursively{{% endif %}}
-- name: Find {{{ path }}} file(s)
find:
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+{{% if RECURSIVE %}}
+ recurse: yes
+{{% endif %}}
hidden: yes
register: files_found
@@ -19,18 +24,23 @@
file:
path: "{{ item.path }}"
mode: "{{{ FILEMODE }}}"
+ state: file
+ when: item.mode != '{{{ FILEMODE}}}'
with_items:
- "{{ files_found.files }}"
-{{% elif IS_DIRECTORY and RECURSIVE %}}
+{{% else %}}
-- name: Set permissions for {{{ path }}} recursively
+- name: Set permissions for {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}}
file:
path: "{{{ path }}}"
state: directory
+{{% if RECURSIVE %}}
recurse: yes
+{{% endif %}}
mode: "{{{ FILEMODE }}}"
+{{% endif %}}
{{% else %}}
- name: Test for existence {{{ path }}}
diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template
index e0d8fe95c4f0..75f238530261 100644
--- a/shared/templates/file_permissions/bash.template
+++ b/shared/templates/file_permissions/bash.template
@@ -4,17 +4,25 @@
# complexity = low
# disruption = low
+{{%- if RECURSIVE %}}
+{{% set FIND_RECURSE_ARGS="" %}}
+{{%- else %}}
+{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}}
+{{%- endif %}}
+
{{% for path in FILEPATH %}}
-{{% if IS_DIRECTORY and FILE_REGEX %}}
-readarray -t files < <(find {{{ path }}})
+{{%- if IS_DIRECTORY %}}
+{{%- if FILE_REGEX %}}
+readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
- chmod {{{ FILEMODE }}} $file
+ if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
+ chmod {{{ FILEMODE }}} "$file"
fi
done
-{{% elif IS_DIRECTORY and RECURSIVE %}}
-find -L {{{ path }}} -type d -exec chmod {{{ FILEMODE }}} {} \;
-{{% else %}}
+{{%- else %}}
+find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chmod {{{ FILEMODE }}} {} \;
+{{%- endif %}}
+{{%- else %}}
chmod {{{ FILEMODE }}} {{{ path }}}
-{{% endif %}}
+{{%- endif %}}
{{% endfor %}}
diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
index 6b3616a7f428..a22bb1046877 100644
--- a/shared/templates/file_permissions/oval.template
+++ b/shared/templates/file_permissions/oval.template
@@ -45,14 +45,14 @@
{{%- if IS_DIRECTORY %}}
- {{%- if FILE_REGEX %}}
+ {{%- if RECURSIVE %}}
+ ^{{{ filepath[:-1] }}}
+ {{%- else %}}
{{{ filepath[:-1] }}}
+ {{%- endif %}}
+ {{%- if FILE_REGEX %}}
{{{ FILE_REGEX[loop.index0] }}}
- {{%- elif RECURSIVE %}}
- {{{ filepath[:-1] }}}
-
{{%- else %}}
- {{{ filepath[:-1] }}}
{{%- endif %}}
{{%- else %}}
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index c1de1059a804..3522077955bf 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -1127,9 +1127,12 @@ def to_xml_element(self, env_yaml=None):
rules_in_group = list(self.rules.keys())
regex = (r'(package_.*_(installed|removed))|' +
r'(service_.*_(enabled|disabled))|' +
- r'install_smartcard_packages$')
+ r'install_smartcard_packages|' +
+ r'sshd_set_keepalive(_0)?|' +
+ r'sshd_set_idle_timeout$')
priority_order = ["installed", "install_smartcard_packages", "removed",
- "enabled", "disabled"]
+ "enabled", "disabled", "sshd_set_keepalive_0",
+ "sshd_set_keepalive", "sshd_set_idle_timeout"]
rules_in_group = reorder_according_to_ordering(rules_in_group, priority_order, regex)
# Add rules in priority order, first all packages installed, then removed,
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 0e12daa8326e..96a7088712f8 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -147,6 +147,8 @@ selections:
- package_gssproxy_removed
- package_iprutils_removed
- package_krb5-workstation_removed
+- package_libreport-plugin-logger_removed
+- package_libreport-plugin-rhtsupport_removed
- package_nfs-utils_removed
- package_openscap-scanner_installed
- package_openssh-clients_installed
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 7ca3d7559600..ce84291fb4c9 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -292,6 +292,8 @@ selections:
- package_gssproxy_removed
- package_iprutils_removed
- package_krb5-workstation_removed
+- package_libreport-plugin-logger_removed
+- package_libreport-plugin-rhtsupport_removed
- package_mcafeetp_installed
- package_opensc_installed
- package_openssh-server_installed
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 8fe977ab51c7..1a1364042029 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -303,6 +303,8 @@ selections:
- package_gssproxy_removed
- package_iprutils_removed
- package_krb5-workstation_removed
+- package_libreport-plugin-logger_removed
+- package_libreport-plugin-rhtsupport_removed
- package_mcafeetp_installed
- package_opensc_installed
- package_openssh-server_installed