Check sssd conf.d files and fix bash remediation.

linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml

@@ -9,7 +9,7 @@
       <description>Accessing a repository should be
       allowed only when the repository is authenticated.</description>
     </metadata>
-    <criteria comment="Detect any usage of allow-ynauthenticated option"
+    <criteria comment="Detect any usage of allow-unauthenticated option"
       operator="OR">      
       <criterion comment="Check /etc/apt/apt.conf file"
       test_ref="test_unauthenticated_apt_conf" />

linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh

@@ -3,17 +3,16 @@
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
 
-SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$"
-SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$"
-SSSD_PAM_SERVICES="[sssd]
-services = pam"
 SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
 
-# If there is services line with pam, good
-# If there is services line without pam, append pam
-# If not echo services line with pam
-grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \
-	grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \
-	sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \
-	echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF
+for f in $( ls $SSSD_CONF $SSSD_CONF_DIR 2> /dev/null ) ; do
+	# finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix
+	services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq )
 
+	while IFS= read -r services; do
+		if [[ ! $services =~ "pam" ]]; then
+			sed -i "s/$services$/&, pam/" $f
+		fi
+	done <<< "$services_list"
+done

linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml

@@ -2,28 +2,29 @@
   <definition class="compliance" id="sssd_enable_pam_services" version="1">
     <metadata>
       <title>Configure PAM in SSSD Services</title>
-      <affected family="unix">
-        <platform>Red Hat Enterprise Linux 7</platform>
-        <platform>Red Hat Enterprise Linux 8</platform>
-        <platform>Red Hat Virtualization 4</platform>
-        <platform>multi_platform_ol</platform>
-      </affected>
+      {{{- oval_affected(products) }}}
       <description>SSSD should be configured to run SSSD PAM services.
       </description>
     </metadata>
     <criteria>
-      <criterion comment="check if pam is configured in the services setting of the sssd section"
-      test_ref="test_sssd_enable_pam_services" />
+        <criterion comment="check if pam is configured in the services setting of the sssd section"
+        test_ref="test_sssd_enable_pam_services" />
     </criteria>
   </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="check if pam is configured in the services setting of the sssd section"
   id="test_sssd_enable_pam_services" version="1">
     <ind:object object_ref="obj_sssd_enable_pam_services" />
+    <ind:state state_ref="state_sssd_enable_pam_services" />
   </ind:textfilecontent54_test>
+
   <ind:textfilecontent54_object id="obj_sssd_enable_pam_services" version="1">
-    <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*\[sssd]([^\n\[\]]*\n+)+?[\s]*services.*pam.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services[ \t]*=[ \t]*(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_sssd_enable_pam_services" version="1">
+    <ind:subexpression operation="pattern match">^.*pam.*$</ind:subexpression>
+  </ind:textfilecontent54_state>
 </def-group>

linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh

@@ -0,0 +1,14 @@
+
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+mkdir -p /etc/sssd/conf.d/
+SSSD_CONF="/etc/sssd/conf.d/sssd.conf"
+
+cp wrong_sssd.conf $SSSD_CONF
+
+SSSD_CONF="/etc/sssd/sssd.conf"
+cp wrong_sssd.conf $SSSD_CONF

linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+mkdir -p /etc/sssd/conf.d/
+SSSD_CONF="/etc/sssd/conf.d/sssd.conf"
+
+cp wrong_sssd.conf $SSSD_CONF
+
+SSSD_CONF="/etc/sssd/sssd.conf"
+cp wrong_sssd.conf $SSSD_CONF
+
+SSSD_CONF="/etc/sssd/sssd_custom.conf"
+cat <<EOF > $SSSD_CONF
+[sssd]
+services = nss
+domains = shadowutils
+
+[nss]
+
+[pam]
+services = pam
+
+[domain/shadowutils]
+id_provider = files
+
+auth_provider = proxy
+proxy_pam_target = sssd-shadowutils
+
+proxy_fast_alias = True
+
+[sssd]
+services = abc,cde
+
+[sssd]
+services = pam
+param1 = pam
+services = abc,cde
+EOF

linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.pass.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+SSSD_SERVICES_REGEX_SHORT="^[[:space:]]*services.*$"
+SSSD_CONF="/etc/sssd/sssd.conf"
+
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+rm -f SSSD_CONF
+cat <<EOF > $SSSD_CONF
+[sssd]
+section1 = key
+section2 = nss
+[pam]
+example1 = abc
+EOF

linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh

@@ -2,5 +2,7 @@
 #
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
 SSSD_CONF="/etc/sssd/sssd.conf"
 cp wrong_sssd.conf $SSSD_CONF

linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh

@@ -2,11 +2,14 @@
 #
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
-SSSD_PAM_SERVICES_REGEX="^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$"
-SSSD_PAM_SERVICES="[sssd]
-services = pam"
 SSSD_CONF="/etc/sssd/sssd.conf"
 
-grep -q "$SSSD_PAM_SERVICES_REGEX" $SSSD_CONF && \
-	sed -i "s/$SSSD_PAM_SERVICES_REGEX/$SSD_PAM_SERVICES/" $SSSD_CONF || \
-	echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+rm -f SSSD_CONF
+cat <<EOF > $SSSD_CONF
+[sssd]
+services = nss,pam
+[pam]
+example1 = abc
+EOF