Sle16 dconf gnome patch#14366
Open
teacup-on-rockingchair wants to merge 7 commits intoComplianceAsCode:masterfrom
Open
Sle16 dconf gnome patch#14366teacup-on-rockingchair wants to merge 7 commits intoComplianceAsCode:masterfrom
teacup-on-rockingchair wants to merge 7 commits intoComplianceAsCode:masterfrom
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
Member
|
/packit build |
…and use dconf_gdm_dirvariable for location
teacup-on-rockingchair
force-pushed
the
sle16_dconf_gnome_patch
branch
from
6587ae0 to
f7184bd
Compare
teacup-on-rockingchair
added
SLES
teacup-on-rockingchair
requested review from
Mab879,
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
mpurg
requested changes
Feb 9, 2026
teacup-on-rockingchair
force-pushed
the
sle16_dconf_gnome_patch
branch
from
4a2f31e to
9062760
Compare
Member
|
/packit retest-failed |
teacup-on-rockingchair
force-pushed
the
sle16_dconf_gnome_patch
branch
from
9062760 to
fabc054
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
-automount to false in /etc/dconf/db/local.d/00-security-settings.
+automount to false in /etc/dconf/db/gdm.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount=false
Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount
If properly configured, the output for automount should be false.
To ensure that users cannot enable automount in GNOME3, run the following:
-$ grep 'automount' /etc/dconf/db/local.d/locks/*
+$ grep 'automount' /etc/dconf/db/gdm.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -2,7 +2,6 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
-
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
-automount-open to false in /etc/dconf/db/local.d/00-security-settings.
+automount-open to false in /etc/dconf/db/gdm.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
-$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
+$ grep 'automount-open' /etc/dconf/db/gdm.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -2,7 +2,6 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
-
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
-autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
+autorun-never to true in /etc/dconf/db/gdm.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
-$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
+$ grep 'autorun-never' /etc/dconf/db/gdm.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
Is it the case that GNOME autorun is not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -6,12 +6,12 @@
By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino authentication-methods
If properly configured, the output should be false.
To ensure that users cannot disable credentials for remote access, run the following:
-$ grep authentication-methods /etc/dconf/db/local.d/locks/*
+$ grep authentication-methods /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/authentication-methods
Is it the case that wireless network notification is enabled and not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -6,12 +6,12 @@
By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino require-encrpytion
If properly configured, the output should be true.
To ensure that users cannot disable encrypted remote connections, run the following:
-$ grep require-encryption /etc/dconf/db/local.d/locks/*
+$ grep require-encryption /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/require-encryption
Is it the case that remote access connections are not encrypted?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -5,11 +5,11 @@
[description]:
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
-$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
+$ grep idle-activation-enabled /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
Is it the case that idle-activation-enabled is not enabled or configured?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -4,12 +4,12 @@
[description]:
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
-and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
+setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
+and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/local.d/00-security-settings:
+/etc/dconf/db/gdm.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-$ grep idle-delay /etc/dconf/db/local.d/locks/*
+$ grep idle-delay /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
inactivity_timeout_value=''
+
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -6,7 +6,7 @@
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -1,10 +1,8 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
-# apply fix for enable_dconf_user_profile, OVAL checks it
+var_screensaver_lock_delay=''
-
-var_screensaver_lock_delay=''
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -5,12 +5,12 @@
[description]:
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
@@ -3,7 +3,7 @@
$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
-$ grep lock-enabled /etc/dconf/db/local.d/locks/*
+$ grep lock-enabled /etc/dconf/db/gdm.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -76,7 +76,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Enable GNOME3 Screensaver
Lock After Idle Period
community.general.ini_file:
- dest: /etc/dconf/db/local.d/00-security-settings
+ dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/desktop/lockdown
option: disable-lock-screen
value: 'false'
@@ -105,7 +105,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Prevent user modification
of GNOME disable-lock-screen
ansible.builtin.lineinfile:
- path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+ path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/lockdown/disable-lock-screen$
line: /org/gnome/desktop/lockdown/disable-lock-screen
create: true
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -5,12 +5,12 @@
[description]:
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
@@ -3,7 +3,7 @@
If properly configured, the output should be ''.
To ensure that users cannot set the screensaver background, run the following:
-$ grep picture-uri /etc/dconf/db/local.d/locks/*
+$ grep picture-uri /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
Is it the case that it is not set or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
+$ grep 'lock-delay' /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
Is it the case that GNOME3 session settings are not locked or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
+$ grep 'idle-delay' /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is not locked?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -10,7 +10,6 @@
mkdir -p "${service_dropin_cfg_dir}"
echo "[Service]" >> "${service_dropin_file}"
-echo "ExecStart=" >> "${service_dropin_file}"
echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -22,7 +22,6 @@
dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
block: |-
[Service]
- ExecStart=
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
when: '"kernel-core" in ansible_facts.packages'
tags:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions'.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -12,18 +12,6 @@
any non-root local partitions.
-[warning]:
-This rule checks only local partitions, identified as those backed by
-a device node in /dev. Network file systems such as NFS, CIFS,
-GlusterFS and others are excluded because they do not expose local
-device nodes. The /boot and /efi partitions are
-excluded because they are special partitions usually handled by a
-systemd mount unit, and enforcing nodev on them during
-operating system installation causes issues. Partitions with the
-vfat file system type are excluded because vfat does not
-support Unix device special files, so nodev enforcement on
-them is not meaningful.
-
[reference]:
11
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -31,7 +31,6 @@
lustre
davfs
fuse.sshfs
- vfat
)
for partition_record in "${partitions_records[@]}"; do
@@ -39,11 +38,6 @@
mount_point="$(echo "${partition_record}" | cut -d " " -f1)"
device="$(echo "${partition_record}" | cut -d " " -f2)"
device_type="$(echo "${partition_record}" | cut -d " " -f3)"
-
- # Skip /boot and /efi partitions
- if [[ "$mount_point" =~ ^/(boot|efi) ]]; then
- continue
- fi
# Skip polyinstantiated directories
if printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then
@@ -86,8 +80,8 @@
fi
done
-# Remediate unmounted /etc/fstab entries, excluding /boot, /efi, and vfat partitions
-sed -i -E '/nodev/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/(boot|efi)/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/\w\S*\s+vfat\s/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5; } }' /etc/fstab
+# Remediate unmounted /etc/fstab entries
+sed -i -E '/nodev/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5;' /etc/fstab
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -64,7 +64,6 @@
- lustre
- davfs
- fuse.sshfs
- - vfat
when: ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
@@ -99,11 +98,8 @@
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
["docker", "lxc", "openvz", "podman", "container"] ) )
- item.mount is match('/\w')
- - item.mount is not match('/(boot|efi)')
- item.options is not search('nodev')
- item.fstype not in excluded_fstypes
- - (not accounts_polyinstantiated_var_tmp | default(false)) or item.mount != '/var/tmp/tmp-inst'
- - (not accounts_polyinstantiated_tmp | default(false)) or item.mount != '/tmp/tmp-inst'
with_items:
- '{{ ansible_facts.mounts }}'
tags:
@@ -126,7 +122,7 @@
are present with nodev option in /etc/fstab'
ansible.builtin.replace:
path: /etc/fstab
- regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(?!vfat\s)(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
+ regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
replace: \1 \2 \3 \4,nodev \5
when: ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages |
mpurg
approved these changes
Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Review Hints: