diff --git a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml
index 2e33d2b0b8d..75cebc26f64 100644
--- a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml
+++ b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml
@@ -9,7 +9,7 @@
Accessing a repository should be
allowed only when the repository is authenticated.
-
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh
index 70bc0dbb33d..3c02911128f 100644
--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh
@@ -3,17 +3,16 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$"
-SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$"
-SSSD_PAM_SERVICES="[sssd]
-services = pam"
SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
-# If there is services line with pam, good
-# If there is services line without pam, append pam
-# If not echo services line with pam
-grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \
- grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \
- sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \
- echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF
+for f in $( ls $SSSD_CONF $SSSD_CONF_DIR 2> /dev/null ) ; do
+ # finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix
+ services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq )
+ while IFS= read -r services; do
+ if [[ ! $services =~ "pam" ]]; then
+ sed -i "s/$services$/&, pam/" $f
+ fi
+ done <<< "$services_list"
+done
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml
index 73528962d1e..7af72709f29 100644
--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml
@@ -2,28 +2,29 @@
Configure PAM in SSSD Services
-
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Virtualization 4
- multi_platform_ol
-
+ {{{- oval_affected(products) }}}
SSSD should be configured to run SSSD PAM services.
-
+
-
+
+
- /etc/sssd/sssd.conf
- ^[\s]*\[sssd]([^\n\[\]]*\n+)+?[\s]*services.*pam.*$
- 1
+ ^/etc/sssd/(sssd|conf\.d/.*)\.conf$
+ ^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services[ \t]*=[ \t]*(.*)$
+ 1
+
+
+ ^.*pam.*$
+
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh
new file mode 100644
index 00000000000..edc6e265bb1
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh
@@ -0,0 +1,14 @@
+
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+mkdir -p /etc/sssd/conf.d/
+SSSD_CONF="/etc/sssd/conf.d/sssd.conf"
+
+cp wrong_sssd.conf $SSSD_CONF
+
+SSSD_CONF="/etc/sssd/sssd.conf"
+cp wrong_sssd.conf $SSSD_CONF
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh
new file mode 100644
index 00000000000..67336313805
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+mkdir -p /etc/sssd/conf.d/
+SSSD_CONF="/etc/sssd/conf.d/sssd.conf"
+
+cp wrong_sssd.conf $SSSD_CONF
+
+SSSD_CONF="/etc/sssd/sssd.conf"
+cp wrong_sssd.conf $SSSD_CONF
+
+SSSD_CONF="/etc/sssd/sssd_custom.conf"
+cat < $SSSD_CONF
+[sssd]
+services = nss
+domains = shadowutils
+
+[nss]
+
+[pam]
+services = pam
+
+[domain/shadowutils]
+id_provider = files
+
+auth_provider = proxy
+proxy_pam_target = sssd-shadowutils
+
+proxy_fast_alias = True
+
+[sssd]
+services = abc,cde
+
+[sssd]
+services = pam
+param1 = pam
+services = abc,cde
+EOF
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh
deleted file mode 100644
index 2cc7df81afc..00000000000
--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
-
-SSSD_PAM_SERVICES_REGEX="^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$"
-SSSD_PAM_SERVICES="[sssd]
-services pam"
-SSSD_CONF="/etc/sssd/sssd.conf"
-
-grep -q "$SSSD_PAM_SERVICES_REGEX" $SSSD_CONF && \
- sed -i "/$SSSD_PAM_SERVICES_REGEX/d" $SSSD_CONF || \
- true
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.pass.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.pass.sh
new file mode 100644
index 00000000000..b67bd637612
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+SSSD_SERVICES_REGEX_SHORT="^[[:space:]]*services.*$"
+SSSD_CONF="/etc/sssd/sssd.conf"
+
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+rm -f SSSD_CONF
+cat < $SSSD_CONF
+[sssd]
+section1 = key
+section2 = nss
+[pam]
+example1 = abc
+EOF
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh
index f44ae576067..664f08e31e3 100644
--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh
@@ -2,5 +2,7 @@
#
# profiles = xccdf_org.ssgproject.content_profile_stig
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
SSSD_CONF="/etc/sssd/sssd.conf"
cp wrong_sssd.conf $SSSD_CONF
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh
index 3aa48cbfbf2..3a998415940 100644
--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh
@@ -2,11 +2,14 @@
#
# profiles = xccdf_org.ssgproject.content_profile_stig
-SSSD_PAM_SERVICES_REGEX="^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$"
-SSSD_PAM_SERVICES="[sssd]
-services = pam"
SSSD_CONF="/etc/sssd/sssd.conf"
-grep -q "$SSSD_PAM_SERVICES_REGEX" $SSSD_CONF && \
- sed -i "s/$SSSD_PAM_SERVICES_REGEX/$SSD_PAM_SERVICES/" $SSSD_CONF || \
- echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF
+yum -y install /usr/lib/systemd/system/sssd.service
+rm -rf /etc/sssd/conf.d/
+rm -f SSSD_CONF
+cat < $SSSD_CONF
+[sssd]
+services = nss,pam
+[pam]
+example1 = abc
+EOF