ssg-nondebian 0.1.31-5 / usr / share / scap-security-guide / RHEL / 6 / bash-remediations.xml

<fix-content system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1">
  <fix-group id="bash" system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1">
    <fix rule="package_talk-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove talk-server
</fix>
    <fix rule="package_audit_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install audit
</fix>
    <fix rule="package_rsh_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove rsh
</fix>
    <fix rule="package_rsh-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove rsh-server
</fix>
    <fix rule="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install aide
</fix>
    <fix rule="kernel_module_usb-storage_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install usb-storage /bin/true" &gt; /etc/modprobe.d/usb-storage.conf
</fix>
    <fix rule="package_httpd_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove httpd
</fix>
    <fix rule="package_samba-common_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install samba-common
</fix>
    <fix rule="package_ypbind_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove ypbind
</fix>
    <fix rule="kernel_module_bluetooth_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">if grep --silent "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then
        sed -i 's/^install bluetooth.*/install bluetooth /bin/true/g' /etc/modprobe.d/bluetooth.conf
else
        echo -e "\n# Disable per security requirements" &gt;&gt; /etc/modprobe.d/bluetooth.conf
        echo "install bluetooth /bin/true" &gt;&gt; /etc/modprobe.d/bluetooth.conf
fi
</fix>
    <fix rule="package_net-snmp_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove net-snmp
</fix>
    <fix rule="package_dovecot_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove dovecot
</fix>
    <fix rule="package_vsftpd_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install vsftpd
</fix>
    <fix rule="package_talk_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove talk
</fix>
    <fix rule="package_telnet_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove telnet
</fix>
    <fix rule="accounts_max_concurrent_login_sessions" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_max_concurrent_login_sessions="<sub idref="var_accounts_max_concurrent_login_sessions"/>"

if grep -q '^[^#]*\&lt;maxlogins\&gt;' /etc/security/limits.d/*.conf; then
	sed -i "/^[^#]*\&lt;maxlogins\&gt;/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
elif grep -q '^[^#]*\&lt;maxlogins\&gt;' /etc/security/limits.conf; then
	sed -i "/^[^#]*\&lt;maxlogins\&gt;/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf
else
	echo "*	hard	maxlogins	$var_accounts_max_concurrent_login_sessions" &gt;&gt; /etc/security/limits.conf
fi
</fix>
    <fix rule="sshd_allow_only_protocol2" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' '$CCENUM' '%s %s'
</fix>
    <fix rule="file_permissions_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="disable">chmod 0644 /etc/passwd
</fix>
    <fix rule="accounts_umask_etc_csh_cshrc" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_user_umask="<sub idref="var_accounts_user_umask"/>"

grep -q umask /etc/csh.cshrc &amp;&amp; \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" &gt;&gt; /etc/csh.cshrc
fi
</fix>
    <fix rule="no_rsh_trust_files" complexity="low" disruption="low" reboot="false" strategy="disable">find -type f -name .rhosts -exec rm -f '{}' \;
rm /etc/hosts.equiv
</fix>
    <fix rule="sshd_set_keepalive" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^ClientAliveCountMax /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "ClientAliveCountMax 0" &gt;&gt; /etc/ssh/sshd_config
fi
</fix>
    <fix rule="auditd_data_retention_space_left_action" complexity="low" disruption="low" reboot="false" strategy="disable">
var_auditd_space_left_action="<sub idref="var_auditd_space_left_action"/>"

#
# If space_left_action present in /etc/audit/auditd.conf, change value
# to var_auditd_space_left_action, else
# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf
#

if grep --silent ^space_left_action /etc/audit/auditd.conf ; then
        sed -i 's/^space_left_action.*/space_left_action = '"$var_auditd_space_left_action"'/g' /etc/audit/auditd.conf
else
        echo -e "\n# Set space_left_action to $var_auditd_space_left_action per security requirements" &gt;&gt; /etc/audit/auditd.conf
        echo "space_left_action = $var_auditd_space_left_action" &gt;&gt; /etc/audit/auditd.conf
fi
</fix>
    <fix rule="auditd_audispd_syslog_plugin_activated" complexity="low" disruption="low" reboot="false" strategy="disable">
grep -q ^active /etc/audisp/plugins.d/syslog.conf &amp;&amp; \
  sed -i "s/active.*/active = yes/g" /etc/audisp/plugins.d/syslog.conf
if ! [ $? -eq 0 ]; then
    echo "active = yes" &gt;&gt; /etc/audisp/plugins.d/syslog.conf
fi
</fix>
    <fix rule="file_owner_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/gshadow
</fix>
    <fix rule="sshd_disable_rhosts" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^IgnoreRhosts' 'yes' '$CCENUM' '%s %s'
</fix>
    <fix rule="sshd_use_approved_macs" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^MACs' 'hmac-sha2-512,hmac-sha2-256,hmac-sha1' '$CCENUM' '%s %s'
</fix>
    <fix rule="file_owner_etc_group" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/group
</fix>
    <fix rule="aide_periodic_cron_checking" complexity="low" disruption="low" reboot="false" strategy="disable">echo "05 4 * * * root /usr/sbin/aide --check" &gt;&gt; /etc/crontab
</fix>
    <fix rule="file_groupowner_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/passwd
</fix>
    <fix rule="file_permissions_sshd_private_key" complexity="low" disruption="low" reboot="false" strategy="disable">
chmod 0640 /etc/ssh/*_key
</fix>
    <fix rule="file_ownership_var_log_audit" complexity="low" disruption="low" reboot="false" strategy="disable">
if `grep -q ^log_group /etc/audit/auditd.conf` ; then
  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
  if ! [ "${GROUP}" == 'root' ] ; then
    chown root.${GROUP} /var/log/audit
    chown root.${GROUP} /var/log/audit/audit.log*
  else
    chown root.root /var/log/audit
    chown root.root /var/log/audit/audit.log*
  fi
else
  chown root.root /var/log/audit
  chown root.root /var/log/audit/audit.log*
fi
</fix>
    <fix rule="auditd_data_retention_action_mail_acct" complexity="low" disruption="low" reboot="false" strategy="disable">
var_auditd_action_mail_acct="<sub idref="var_auditd_action_mail_acct"/>"

AUDITCONFIG=/etc/audit/auditd.conf

grep -q ^action_mail_acct $AUDITCONFIG &amp;&amp; \
  sed -i 's/^action_mail_acct.*/action_mail_acct = '"$var_auditd_action_mail_acct"'/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
  echo "action_mail_acct = $var_auditd_action_mail_acct" &gt;&gt; $AUDITCONFIG
fi
</fix>
    <fix rule="bootloader_audit_argument" complexity="low" disruption="low" reboot="false" strategy="disable">/sbin/grubby --update-kernel=ALL --args="audit=1"
</fix>
    <fix rule="file_owner_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/passwd
</fix>
    <fix rule="file_permissions_etc_group" complexity="low" disruption="low" reboot="false" strategy="disable">chmod 644 /etc/group
</fix>
    <fix rule="sshd_disable_compression" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^Compression' 'no' '$CCENUM' '%s %s'
</fix>
    <fix rule="accounts_umask_etc_bashrc" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_user_umask="<sub idref="var_accounts_user_umask"/>"

grep -q umask /etc/bashrc &amp;&amp; \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" &gt;&gt; /etc/bashrc
fi
</fix>
    <fix rule="file_permissions_binary_dirs" complexity="low" disruption="low" reboot="false" strategy="disable">DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
for dirPath in $DIRS; do
	find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
done
</fix>
    <fix rule="selinux_state" complexity="low" disruption="low" reboot="false" strategy="disable">
var_selinux_state="<sub idref="var_selinux_state"/>"
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '$CCENUM' '%s=%s'
</fix>
    <fix rule="file_permissions_var_log_audit" complexity="low" disruption="low" reboot="false" strategy="disable">
if `grep -q ^log_group /etc/audit/auditd.conf` ; then
  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
  if ! [ "${GROUP}" == 'root' ] ; then
    chmod 0640 /var/log/audit/audit.log
    chmod 0440 /var/log/audit/audit.log.*
  else
    chmod 0600 /var/log/audit/audit.log
    chmod 0400 /var/log/audit/audit.log.*
  fi

  chmod 0640 /etc/audit/audit*
  chmod 0640 /etc/audit/rules.d/*
else
  chmod 0600 /var/log/audit/audit.log
  chmod 0400 /var/log/audit/audit.log.*
  chmod 0640 /etc/audit/audit*
  chmod 0640 /etc/audit/rules.d/*
fi
</fix>
    <fix rule="security_patches_up_to_date" complexity="low" disruption="low" reboot="false" strategy="disable">yum -y update
</fix>
    <fix rule="file_groupowner_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/gshadow
</fix>
    <fix rule="sshd_use_priv_separation" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^UsePrivilegeSeparation' 'yes' '$CCENUM' '%s %s'
</fix>
    <fix rule="disable_host_auth" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^HostbasedAuthentication /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "HostbasedAuthentication no" &gt;&gt; /etc/ssh/sshd_config
fi
</fix>
    <fix rule="rsyslog_files_permissions" complexity="low" disruption="low" reboot="false" strategy="disable">
# List of log file paths to be inspected for correct permissions
# * Primarily inspect log file paths listed in /etc/rsyslog.conf
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
#   (store the result into array for the case there's shell glob used as value of IncludeConfig)
RSYSLOG_INCLUDE_CONFIG=($(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS

# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
do
	# From each of these files extract just particular log file path(s), thus:
	# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
	# * Ignore empty lines,
	# * From the remaining valid rows select only fields constituting a log file path
	# Text file column is understood to represent a log file path if and only if all of the following are met:
	# * it contains at least one slash '/' character,
	# * it doesn't contain space (' '), colon (':'), and semicolon (';') characters
	# Search log file for path(s) only in case it exists!
	if [[ -f "${LOG_FILE}" ]]
	then
		MATCHED_ITEMS=$(sed -e "/^[[:space:]|#|$]/d ; s/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g ; /^$/d" "${LOG_FILE}")
		# Since above sed command might return more than one item (delimited by newline), split the particular
		# matches entries into new array specific for this log file
		readarray -t ARRAY_FOR_LOG_FILE &lt;&lt;&lt; "$MATCHED_ITEMS"
		# Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with
		# items from newly created array for this log file
		LOG_FILE_PATHS=("${LOG_FILE_PATHS[@]}" "${ARRAY_FOR_LOG_FILE[@]}")
		# Delete the temporary array
		unset ARRAY_FOR_LOG_FILE
	fi
done

for PATH in "${LOG_FILE_PATHS[@]}"
do
	# Sanity check - if particular $PATH is empty string, skip it from further processing
	if [ -z "$PATH" ]
	then
		continue
	fi
	# Per https://access.redhat.com/solutions/66805 '/var/log/boot.log' log file needs special care =&gt; perform it
	if [ "$PATH" == "/var/log/boot.log" ]
	then
		# Ensure permissions of /var/log/boot.log are configured to be updated in /etc/rc.local
		if ! /bin/grep -q "boot.log" "/etc/rc.local"
		then
			echo "/bin/chmod 600 /var/log/boot.log" &gt;&gt; /etc/rc.local
		fi
		# Ensure /etc/rc.d/rc.local has user-executable permission
		# (in order to be actually executed during boot)
		if [ "$(/usr/bin/stat -c %a /etc/rc.d/rc.local)" -ne 744 ]
		then
			/bin/chmod u+x /etc/rc.d/rc.local
		fi
	fi
	# Also for each log file check if its permissions differ from 600. If so, correct them
	if [ "$(/usr/bin/stat -c %a "$PATH")" -ne 600 ]
	then
		/bin/chmod 600 "$PATH"
	fi
done
</fix>
    <fix rule="set_iptables_default_rule_forward" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i 's/^:FORWARD ACCEPT.*/:FORWARD DROP [0:0]/g' /etc/sysconfig/iptables
</fix>
    <fix rule="rpm_verify_permissions" complexity="low" disruption="low" reboot="false" strategy="disable">
# Declare array to hold list of RPM packages we need to correct permissions for
declare -a SETPERMS_RPM_LIST

# Create a list of files on the system having permissions different from what
# is expected by the RPM database
FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | grep '^.M'))

# For each file path from that list:
# * Determine the RPM package the file path is shipped by,
# * Include it into SETPERMS_RPM_LIST array

for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
	RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
	SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE")
done

# Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any)
SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | sort -n | uniq) )

# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}"
do
	rpm --setperms "${RPM_PACKAGE}"
done
</fix>
    <fix rule="set_ip6tables_default_rule" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/ip6tables
</fix>
    <fix rule="sshd_disable_gssapi_auth" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^GSSAPIAuthentication' 'no' '$CCENUM' '%s %s'
</fix>
    <fix rule="file_groupowner_etc_group" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/group
</fix>
    <fix rule="auditd_data_retention_flush" complexity="low" disruption="low" reboot="false" strategy="disable">
var_auditd_flush="<sub idref="var_auditd_flush"/>"

AUDITCONFIG=/etc/audit/auditd.conf

# if flush is present, flush param edited to var_auditd_flush
# else flush param is defined by var_auditd_flush
#
# the freq param is only used value 'incremental' and will be
# commented out if flush != incremental
#
# if flush == incremental &amp;&amp; freq param is not defined, it 
# will be defined as the package-default value of 20

grep -q ^flush $AUDITCONFIG &amp;&amp; \
  sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
  echo "flush = $var_auditd_flush" &gt;&gt; $AUDITCONFIG
fi

if ! [ "$var_auditd_flush" == "incremental" ]; then
  sed -i 's/^freq/##freq/g' $AUDITCONFIG
elif [ "$var_auditd_flush" == "incremental" ]; then
  grep -q freq $AUDITCONFIG &amp;&amp; \
    sed -i 's/^#\+freq/freq/g' $AUDITCONFIG
  if ! [ $? -eq 0 ]; then
    echo "freq = 20" &gt;&gt; $AUDITCONFIG
  fi
fi
</fix>
    <fix rule="ensure_gpgcheck_never_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i 's/gpgcheck=.*/gpgcheck=1/g' /etc/yum.repos.d/*
</fix>
    <fix rule="set_password_hashing_algorithm_logindefs" complexity="low" disruption="low" reboot="false" strategy="disable">if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
	sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs
else
	echo "" &gt;&gt; /etc/login.defs
	echo "ENCRYPT_METHOD SHA512" &gt;&gt; /etc/login.defs
fi
</fix>
    <fix rule="ensure_gpgcheck_globally_activated" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i 's/gpgcheck=.*/gpgcheck=1/g' /etc/yum.conf
</fix>
    <fix rule="auditd_data_retention_max_log_file_action" complexity="low" disruption="low" reboot="false" strategy="disable">
var_auditd_max_log_file_action="<sub idref="var_auditd_max_log_file_action"/>"

AUDITCONFIG=/etc/audit/auditd.conf

grep -q ^max_log_file_action $AUDITCONFIG &amp;&amp; \
  sed -i 's/^max_log_file_action.*/max_log_file_action = '"$var_auditd_max_log_file_action"'/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
  echo "max_log_file_action = $var_auditd_max_log_file_action" &gt;&gt; $AUDITCONFIG
fi
</fix>
    <fix rule="aide_build_database" complexity="low" disruption="low" reboot="false" strategy="disable">/usr/sbin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
</fix>
    <fix rule="file_permissions_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="disable">chmod 0000 /etc/gshadow
</fix>
    <fix rule="require_smb_client_signing" complexity="low" disruption="low" reboot="false" strategy="disable">######################################################################
#By Luke "Brisk-OH" Brisk
#luke.brisk@boeing.com or luke.brisk@gmail.com
######################################################################

CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf )

if [ "$CLIENTSIGNING" -eq 0 ];  then
	# Add to global section
	sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf
else
	sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/        client signing = mandatory/g' /etc/samba/smb.conf
fi

</fix>
    <fix rule="file_permissions_sshd_pub_key" complexity="low" disruption="low" reboot="false" strategy="disable">
chmod 0644 /etc/ssh/*.pub
</fix>
    <fix rule="accounts_passwords_pam_faillock_deny" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_passwords_pam_faillock_deny="<sub idref="var_accounts_passwords_pam_faillock_deny"/>"

AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, deny directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then

			# both pam_faillock.so &amp; deny present, just correct deny directive value
			sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile

		# pam_faillock.so present, but deny directive not yet
		else

			# append correct deny value to appropriate places
			sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth &amp; authfail rows with proper value of the 'deny' option
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
		sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done
</fix>
    <fix rule="sshd_disable_kerb_auth" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^KerberosAuthentication' 'no' '$CCENUM' '%s %s'
</fix>
    <fix rule="set_iptables_default_rule" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/iptables
</fix>
    <fix rule="securetty_root_login_console_only" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i '/^vc\//d' /etc/securetty
</fix>
    <fix rule="accounts_passwords_pam_faillock_interval" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_passwords_pam_faillock_fail_interval="<sub idref="var_accounts_passwords_pam_faillock_fail_interval"/>"

AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, 'fail_interval' directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*fail_interval=" $pamFile; then

			# both pam_faillock.so &amp; 'fail_interval' present, just correct 'fail_interval' directive value
			sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(fail_interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
			sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(fail_interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile

		# pam_faillock.so present, but 'fail_interval' directive not yet
		else

			# append correct 'fail_interval' value to appropriate places
			sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ fail_interval=$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
			sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ fail_interval=$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth &amp; authfail rows with proper value of the 'fail_interval' option
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent fail_interval=$var_accounts_passwords_pam_faillock_fail_interval" $pamFile
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail fail_interval=$var_accounts_passwords_pam_faillock_fail_interval" $pamFile
		sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done
</fix>
    <fix rule="set_password_hashing_algorithm_systemauth" complexity="low" disruption="low" reboot="false" strategy="disable">if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="auditd_data_retention_max_log_file" complexity="low" disruption="low" reboot="false" strategy="disable">
var_auditd_max_log_file="<sub idref="var_auditd_max_log_file"/>"

AUDITCONFIG=/etc/audit/auditd.conf

grep -q ^max_log_file $AUDITCONFIG &amp;&amp; \
  sed -i 's/^max_log_file.*/max_log_file = '"$var_auditd_max_log_file"'/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
  echo "max_log_file = $var_auditd_max_log_file" &gt;&gt; $AUDITCONFIG
fi
</fix>
    <fix rule="ensure_redhat_gpgkey_installed" complexity="low" disruption="low" reboot="false" strategy="disable"># The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_2_FINGERPRINT="567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51"
readonly REDHAT_AUXILIARY_FINGERPRINT="43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0"
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"

RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")

# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
  # If they are safe, try to obtain fingerprints from the key file
  # (to ensure there won't be e.g. CRC error)
  IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${REDHAT_RELEASE_KEY}"))
  GPG_RESULT=$?
  # No CRC error, safe to proceed
  if [ "${GPG_RESULT}" -eq "0" ]
  then
    for ITEM in "${GPG_OUT[@]}"
    do
      # Filter just hexadecimal fingerprints from gpg's output from
      # processing of a key file
      RESULT=$(echo ${ITEM} | sed -n "s/[[:space:]]*Key fingerprint = \(.*\)/\1/p" | tr -s '[:space:]')
      # If fingerprint matches Red Hat's release 2 or auxiliary key import the key
      if [[ ${RESULT} ]] &amp;&amp; ([[ ${RESULT} = "${REDHAT_RELEASE_2_FINGERPRINT}" ]] || \
                             [[ ${RESULT} = "${REDHAT_AUXILIARY_FINGERPRINT}" ]])
      then
        rpm --import "${REDHAT_RELEASE_KEY}"
      fi
    done
  fi
fi
</fix>
    <fix rule="accounts_passwords_pam_faillock_unlock_time" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_passwords_pam_faillock_unlock_time="<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/>"

AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, unlock_time directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*unlock_time=" $pamFile; then

			# both pam_faillock.so &amp; unlock_time present, just correct unlock_time directive value
			sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
			sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile

		# pam_faillock.so present, but unlock_time directive not yet
		else

			# append correct unlock_time value to appropriate places
			sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
			sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth &amp; authfail rows with proper value of the 'unlock_time' option
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
		sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done
</fix>
    <fix rule="accounts_password_pam_unix_remember" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_unix_remember="<sub idref="var_password_pam_unix_remember"/>"

if grep -q "remember=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="sshd_disable_root_login" complexity="low" disruption="low" reboot="false" strategy="disable">
SSHD_CONFIG='/etc/ssh/sshd_config'

# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)

# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)

# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then

    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
    then
        # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
        echo -e "\nPermitRootLogin no" &gt;&gt; $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG already
    else
        # Replace first uncommented case-insensitive occurrence
        # of PermitRootLogin directive
        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
    fi

# Case: Match block directive present in $SSHD_CONFIG
else

    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
    then
        # Prepend 'PermitRootLogin no' before first uncommented
        # case-insensitive occurrence of Match block directive
        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
    #       before first Match block directive
    elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
    then
        # Replace first uncommented case-insensitive occurrence
        # of PermitRootLogin directive
        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
    # after first Match block directive
    else
         # Prepend 'PermitRootLogin no' before first uncommented
         # case-insensitive occurrence of Match block directive
         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
    fi
fi
</fix>
    <fix rule="file_ownership_binary_dirs" complexity="low" disruption="low" reboot="false" strategy="disable">find /bin/ \
/usr/bin/ \
/usr/local/bin/ \
/sbin/ \
/usr/sbin/ \
/usr/local/sbin/ \
/usr/libexec \
\! -user root -execdir chown root {} \;
</fix>
    <fix rule="auditd_data_retention_num_logs" complexity="low" disruption="low" reboot="false" strategy="disable">
var_auditd_num_logs="<sub idref="var_auditd_num_logs"/>"

AUDITCONFIG=/etc/audit/auditd.conf

grep -q ^num_logs $AUDITCONFIG &amp;&amp; \
  sed -i 's/^num_logs.*/num_logs = '"$var_auditd_num_logs"'/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
  echo "num_logs = $var_auditd_num_logs" &gt;&gt; $AUDITCONFIG
fi
</fix>
    <fix rule="sshd_enable_strictmodes" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/ssh/sshd_config' '^StrictModes' 'yes' '$CCENUM' '%s %s'
</fix>
    <fix rule="mount_option_var_tmp_bind" complexity="low" disruption="low" reboot="false" strategy="disable"># Delete particular /etc/fstab's row if /var/tmp is already configured to
# represent a mount point (for some device or filesystem other than /tmp)
if grep -q -P '.*\/var\/tmp.*' /etc/fstab
then
  sed -i '/.*\/var\/tmp.*/d' /etc/fstab
fi

# Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form)
printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" &gt;&gt; /etc/fstab
</fix>
    <fix rule="sshd_disable_empty_passwords" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "PermitEmptyPasswords no" &gt;&gt; /etc/ssh/sshd_config
fi
</fix>
    <fix rule="selinux_policytype" complexity="low" disruption="low" reboot="false" strategy="disable">
var_selinux_policy_name="<sub idref="var_selinux_policy_name"/>"
<sub idref="function_replace_or_append"/>
replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '$CCENUM' '%s=%s'
</fix>
    <fix rule="no_direct_root_logins" complexity="low" disruption="low" reboot="false" strategy="disable">echo &gt; /etc/securetty
</fix>
    <fix rule="sshd_set_idle_timeout" complexity="low" disruption="low" reboot="false" strategy="disable">
sshd_idle_timeout_value="<sub idref="sshd_idle_timeout_value"/>"

grep -q ^ClientAliveInterval /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "ClientAliveInterval $sshd_idle_timeout_value" &gt;&gt; /etc/ssh/sshd_config
fi
</fix>
    <fix rule="no_empty_passwords" complexity="low" disruption="low" reboot="false" strategy="disable">sed --follow-symlinks -i 's/\&lt;nullok\&gt;//g' /etc/pam.d/system-auth
</fix>
    <fix rule="restrict_serial_port_logins" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i '/ttyS/d' /etc/securetty
</fix>
    <fix rule="sticky_world_writable_dirs" complexity="low" disruption="low" reboot="false" strategy="disable">df --local -P | awk {'if (NR!=1) print $6'} \
| xargs -I '{}' find '{}' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2&gt;/dev/null \
| xargs chmod a+t
</fix>
    <fix rule="service_sysstat_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable sysstat
</fix>
    <fix rule="service_ip6tables_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable ip6tables
</fix>
    <fix rule="package_GConf2_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install GConf2
</fix>
    <fix rule="service_ypbind_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable ypbind
</fix>
    <fix rule="kernel_module_squashfs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install squashfs /bin/true" &gt; /etc/modprobe.d/squashfs.conf
</fix>
    <fix rule="service_named_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable named
</fix>
    <fix rule="sysctl_net_ipv6_conf_default_accept_ra" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv6_conf_default_accept_ra_value="<sub idref="sysctl_net_ipv6_conf_default_accept_ra_value"/>"

#
# Set runtime for net.ipv6.conf.default.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra=$sysctl_net_ipv6_conf_default_accept_ra_value

#
# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.accept_ra /etc/sysctl.conf ; then
	sed -i "s/^net.ipv6.conf.default.accept_ra.*/net.ipv6.conf.default.accept_ra = $sysctl_net_ipv6_conf_default_accept_ra_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv6.conf.default.accept_ra to $sysctl_net_ipv6_conf_default_accept_ra_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_ra = $sysctl_net_ipv6_conf_default_accept_ra_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_certmonger_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable certmonger
</fix>
    <fix rule="package_rsyslog_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install rsyslog
</fix>
    <fix rule="sysctl_net_ipv4_conf_default_secure_redirects" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_default_secure_redirects_value="<sub idref="sysctl_net_ipv4_conf_default_secure_redirects_value"/>"

#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects=$sysctl_net_ipv4_conf_default_secure_redirects_value

#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.secure_redirects /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.default.secure_redirects.*/net.ipv4.conf.default.secure_redirects = $sysctl_net_ipv4_conf_default_secure_redirects_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.default.secure_redirects to $sysctl_net_ipv4_conf_default_secure_redirects_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.secure_redirects = $sysctl_net_ipv4_conf_default_secure_redirects_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="package_irqbalance_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install irqbalance
</fix>
    <fix rule="service_cgred_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable cgred
</fix>
    <fix rule="sysctl_net_ipv4_conf_all_send_redirects" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for net.ipv4.conf.all.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0

#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.all.send_redirects to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.send_redirects = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="sysctl_net_ipv4_ip_forward" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for net.ipv4.ip_forward
#
/sbin/sysctl -q -n -w net.ipv4.ip_forward=0

#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.ip_forward /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 0/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.ip_forward to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.ip_forward = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="sysctl_net_ipv4_conf_all_accept_redirects" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_all_accept_redirects_value="<sub idref="sysctl_net_ipv4_conf_all_accept_redirects_value"/>"

#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value

#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = $sysctl_net_ipv4_conf_all_accept_redirects_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.all.accept_redirects to $sysctl_net_ipv4_conf_all_accept_redirects_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = $sysctl_net_ipv4_conf_all_accept_redirects_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_kdump_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable kdump
</fix>
    <fix rule="service_avahi-daemon_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable avahi-daemon
</fix>
    <fix rule="service_autofs_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable autofs
</fix>
    <fix rule="package_psacct_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install psacct
</fix>
    <fix rule="kernel_module_hfsplus_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install hfsplus /bin/true" &gt; /etc/modprobe.d/hfsplus.conf
</fix>
    <fix rule="service_oddjobd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable oddjobd
</fix>
    <fix rule="service_atd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable atd
</fix>
    <fix rule="service_cups_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable cups
</fix>
    <fix rule="service_smartd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable smartd
</fix>
    <fix rule="service_rpcbind_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable rpcbind
</fix>
    <fix rule="package_policycoreutils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install policycoreutils
</fix>
    <fix rule="service_snmpd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable snmpd
</fix>
    <fix rule="service_portreserve_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable portreserve
</fix>
    <fix rule="sysctl_net_ipv4_conf_default_accept_source_route" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_default_accept_source_route_value="<sub idref="sysctl_net_ipv4_conf_default_accept_source_route_value"/>"

#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=$sysctl_net_ipv4_conf_default_accept_source_route_value

#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route = $sysctl_net_ipv4_conf_default_accept_source_route_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.default.accept_source_route to $sysctl_net_ipv4_conf_default_accept_source_route_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_source_route = $sysctl_net_ipv4_conf_default_accept_source_route_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="sysctl_net_ipv4_conf_all_log_martians" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_all_log_martians_value="<sub idref="sysctl_net_ipv4_conf_all_log_martians_value"/>"

#
# Set runtime for net.ipv4.conf.all.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=$sysctl_net_ipv4_conf_all_log_martians_value

#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = $sysctl_net_ipv4_conf_all_log_martians_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.all.log_martians to $sysctl_net_ipv4_conf_all_log_martians_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.log_martians = $sysctl_net_ipv4_conf_all_log_martians_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="file_permissions_etc_shadow" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0000 /etc/shadow
</fix>
    <fix rule="service_nfslock_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable nfslock
</fix>
    <fix rule="kernel_module_jffs2_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install jffs2 /bin/true" &gt; /etc/modprobe.d/jffs2.conf
</fix>
    <fix rule="sysctl_fs_suid_dumpable" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for fs.suid_dumpable
#
/sbin/sysctl -q -n -w fs.suid_dumpable=0

#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#	else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
	sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
else
	echo -e "\n# Set fs.suid_dumpable to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "fs.suid_dumpable = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_rpcgssd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable rpcgssd
</fix>
    <fix rule="service_sshd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable sshd
</fix>
    <fix rule="service_cpuspeed_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable cpuspeed
</fix>
    <fix rule="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="<sub idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"/>"

#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = $sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.icmp_echo_ignore_broadcasts to $sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.icmp_echo_ignore_broadcasts = $sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="package_ypserv_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove ypserv
</fix>
    <fix rule="service_nfs_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable nfs
</fix>
    <fix rule="kernel_module_hfs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install hfs /bin/true" &gt; /etc/modprobe.d/hfs.conf
</fix>
    <fix rule="sysctl_net_ipv4_conf_default_accept_redirects" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_default_accept_redirects_value="<sub idref="sysctl_net_ipv4_conf_default_accept_redirects_value"/>"

#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value

#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = $sysctl_net_ipv4_conf_default_accept_redirects_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.default.accept_redirects to $sysctl_net_ipv4_conf_default_accept_redirects_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_redirects = $sysctl_net_ipv4_conf_default_accept_redirects_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="package_screen_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install screen
</fix>
    <fix rule="service_psacct_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable psacct
</fix>
    <fix rule="sysctl_net_ipv4_conf_all_rp_filter" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_all_rp_filter_value="<sub idref="sysctl_net_ipv4_conf_all_rp_filter_value"/>"

#
# Set runtime for net.ipv4.conf.all.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter=$sysctl_net_ipv4_conf_all_rp_filter_value

#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.rp_filter /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter = $sysctl_net_ipv4_conf_all_rp_filter_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.all.rp_filter to $sysctl_net_ipv4_conf_all_rp_filter_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.rp_filter = $sysctl_net_ipv4_conf_all_rp_filter_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="package_xinetd_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove xinetd
</fix>
    <fix rule="service_rsyslog_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable rsyslog
</fix>
    <fix rule="package_gdm_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install gdm
</fix>
    <fix rule="package_openswan_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install openswan
</fix>
    <fix rule="sysctl_net_ipv4_conf_default_send_redirects" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for net.ipv4.conf.default.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0

#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.send_redirects.*/net.ipv4.conf.default.send_redirects = 0/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.default.send_redirects to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.send_redirects = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="sysctl_kernel_randomize_va_space" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for kernel.randomize_va_space
#
/sbin/sysctl -q -n -w kernel.randomize_va_space=2

#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
if grep --silent ^kernel.randomize_va_space /etc/sysctl.conf ; then
	sed -i 's/^kernel.randomize_va_space.*/kernel.randomize_va_space = 2/g' /etc/sysctl.conf
else
	echo -e "\n# Set kernel.randomize_va_space to 2 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "kernel.randomize_va_space = 2" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_cgconfig_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable cgconfig
</fix>
    <fix rule="service_haldaemon_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable haldaemon
</fix>
    <fix rule="service_irqbalance_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable irqbalance
</fix>
    <fix rule="sysctl_net_ipv4_conf_all_accept_source_route" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_all_accept_source_route_value="<sub idref="sysctl_net_ipv4_conf_all_accept_source_route_value"/>"

#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=$sysctl_net_ipv4_conf_all_accept_source_route_value

#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = $sysctl_net_ipv4_conf_all_accept_source_route_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.all.accept_source_route to $sysctl_net_ipv4_conf_all_accept_source_route_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_source_route = $sysctl_net_ipv4_conf_all_accept_source_route_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="kernel_module_tipc_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install tipc /bin/true" &gt; /etc/modprobe.d/tipc.conf
</fix>
    <fix rule="sysctl_net_ipv4_tcp_syncookies" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_tcp_syncookies_value="<sub idref="sysctl_net_ipv4_tcp_syncookies_value"/>"

#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = $sysctl_net_ipv4_tcp_syncookies_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.tcp_syncookies to $sysctl_net_ipv4_tcp_syncookies_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.tcp_syncookies = $sysctl_net_ipv4_tcp_syncookies_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="sysctl_net_ipv4_conf_default_rp_filter" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_default_rp_filter_value="<sub idref="sysctl_net_ipv4_conf_default_rp_filter_value"/>"

#
# Set runtime for net.ipv4.conf.default.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter=$sysctl_net_ipv4_conf_default_rp_filter_value

#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter = $sysctl_net_ipv4_conf_default_rp_filter_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.default.rp_filter to $sysctl_net_ipv4_conf_default_rp_filter_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.rp_filter = $sysctl_net_ipv4_conf_default_rp_filter_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_tftp_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable tftp
</fix>
    <fix rule="sysctl_kernel_exec_shield" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for kernel.exec-shield
#
/sbin/sysctl -q -n -w kernel.exec-shield=1

#
# If kernel.exec-shield present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.exec-shield = 1" to /etc/sysctl.conf
#
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then
	sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf
else
	echo -e "\n# Set kernel.exec-shield to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "kernel.exec-shield = 1" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_saslauthd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable saslauthd
</fix>
    <fix rule="package_telnet-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove telnet-server
</fix>
    <fix rule="kernel_module_freevxfs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install freevxfs /bin/true" &gt; /etc/modprobe.d/freevxfs.conf
</fix>
    <fix rule="service_crond_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable crond
</fix>
    <fix rule="service_iptables_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable iptables
</fix>
    <fix rule="service_ntpd_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable ntpd
</fix>
    <fix rule="package_cronie_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install cronie
</fix>
    <fix rule="service_auditd_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable auditd
</fix>
    <fix rule="service_mdmonitor_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable mdmonitor
</fix>
    <fix rule="service_postfix_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable postfix
</fix>
    <fix rule="service_messagebus_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable messagebus
</fix>
    <fix rule="package_samba_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_package_command"/>
package_command remove samba
</fix>
    <fix rule="service_httpd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable httpd
</fix>
    <fix rule="service_dhcpd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable dhcpd
</fix>
    <fix rule="service_bluetooth_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable bluetooth
</fix>
    <fix rule="sysctl_kernel_dmesg_restrict" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for kernel.dmesg_restrict
#
/sbin/sysctl -q -n -w kernel.dmesg_restrict=1

#
# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
#
if grep --silent ^kernel.dmesg_restrict /etc/sysctl.conf ; then
	sed -i 's/^kernel.dmesg_restrict.*/kernel.dmesg_restrict = 1/g' /etc/sysctl.conf
else
	echo -e "\n# Set kernel.dmesg_restrict to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "kernel.dmesg_restrict = 1" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value="<sub idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"/>"

#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value

#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.icmp_ignore_bogus_error_responses.*/net.ipv4.icmp_ignore_bogus_error_responses = $sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.icmp_ignore_bogus_error_responses to $sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.icmp_ignore_bogus_error_responses = $sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_vsftpd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable vsftpd
</fix>
    <fix rule="kernel_module_rds_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install rds /bin/true" &gt; /etc/modprobe.d/rds.conf
</fix>
    <fix rule="service_xinetd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable xinetd
</fix>
    <fix rule="service_netconsole_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable netconsole
</fix>
    <fix rule="service_rpcsvcgssd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable rpcsvcgssd
</fix>
    <fix rule="service_squid_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable squid
</fix>
    <fix rule="kernel_module_sctp_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install sctp /bin/true" &gt; /etc/modprobe.d/sctp.conf
</fix>
    <fix rule="service_qpidd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable qpidd
</fix>
    <fix rule="package_iptables_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install iptables
</fix>
    <fix rule="kernel_module_cramfs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install cramfs /bin/true" &gt; /etc/modprobe.d/cramfs.conf
</fix>
    <fix rule="service_quota_nld_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable quota_nld
</fix>
    <fix rule="kernel_module_dccp_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install dccp /bin/true" &gt; /etc/modprobe.d/dccp.conf
</fix>
    <fix rule="service_abrtd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable abrtd
</fix>
    <fix rule="service_rdisc_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable rdisc
</fix>
    <fix rule="package_postfix_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install postfix
</fix>
    <fix rule="service_rpcidmapd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable rpcidmapd
</fix>
    <fix rule="sysctl_net_ipv4_conf_all_secure_redirects" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv4_conf_all_secure_redirects_value="<sub idref="sysctl_net_ipv4_conf_all_secure_redirects_value"/>"

#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects=$sysctl_net_ipv4_conf_all_secure_redirects_value

#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.secure_redirects /etc/sysctl.conf ; then
	sed -i "s/^net.ipv4.conf.all.secure_redirects.*/net.ipv4.conf.all.secure_redirects = $sysctl_net_ipv4_conf_all_secure_redirects_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.conf.all.secure_redirects to $sysctl_net_ipv4_conf_all_secure_redirects_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.secure_redirects = $sysctl_net_ipv4_conf_all_secure_redirects_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_restorecond_enabled" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_service_command"/>
service_command enable restorecond
</fix>
    <fix rule="service_smb_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable smb
</fix>
    <fix rule="service_acpid_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable acpid
</fix>
    <fix rule="sysctl_net_ipv6_conf_default_accept_redirects" complexity="low" disruption="medium" reboot="true" strategy="disable">
sysctl_net_ipv6_conf_default_accept_redirects_value="<sub idref="sysctl_net_ipv6_conf_default_accept_redirects_value"/>"

#
# Set runtime for net.ipv6.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects=$sysctl_net_ipv6_conf_default_accept_redirects_value

#
# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.accept_redirects /etc/sysctl.conf ; then
	sed -i "s/^net.ipv6.conf.default.accept_redirects.*/net.ipv6.conf.default.accept_redirects = $sysctl_net_ipv6_conf_default_accept_redirects_value/g" /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv6.conf.default.accept_redirects to $sysctl_net_ipv6_conf_default_accept_redirects_value per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_redirects = $sysctl_net_ipv6_conf_default_accept_redirects_value" &gt;&gt; /etc/sysctl.conf
fi
</fix>
    <fix rule="service_rhsmcertd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable rhsmcertd
</fix>
    <fix rule="service_rhnsd_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable rhnsd
</fix>
    <fix rule="package_iptables-ipv6_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
<sub idref="function_package_command"/>
package_command install iptables-ipv6
</fix>
    <fix rule="kernel_module_udf_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">echo "install udf /bin/true" &gt; /etc/modprobe.d/udf.conf
</fix>
    <fix rule="service_netfs_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable netfs
</fix>
    <fix rule="service_dovecot_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_service_command"/>
service_command disable dovecot
</fix>
    <fix rule="accounts_password_pam_difok" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_difok="<sub idref="var_password_pam_difok"/>"

if grep -q "difok=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(difok *= *\).*/\1$var_password_pam_difok/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ difok=$var_password_pam_difok/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="audit_rules_dac_modification_fremovexattr" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="gconf_gnome_screensaver_idle_delay" complexity="low" disruption="low" reboot="false" strategy="disable">
inactivity_timeout_value="<sub idref="inactivity_timeout_value"/>"

# Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the idle time-out value for inactivity in the GNOME desktop to meet the
# requirement
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type int \
            --set /desktop/gnome/session/idle_delay ${inactivity_timeout_value}
</fix>
    <fix rule="audit_rules_time_settimeofday" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_rhel6_perform_audit_adjtimex_settimeofday_stime_remediation"/>
rhel6_perform_audit_adjtimex_settimeofday_stime_remediation
</fix>
    <fix rule="audit_rules_dac_modification_fchownat" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="audit_rules_file_deletion_events" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k delete"
	# Use escaped BRE regex to specify rule group
	GROUP="\(rmdir\|unlink\|rename\)"
	FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="accounts_minimum_age_login_defs" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_minimum_age_login_defs="<sub idref="var_accounts_minimum_age_login_defs"/>"

grep -q ^PASS_MIN_DAYS /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" &gt;&gt; /etc/login.defs
fi
</fix>
    <fix rule="audit_rules_dac_modification_setxattr" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="gconf_gdm_set_login_banner_text" complexity="low" disruption="low" reboot="false" strategy="disable">
login_banner_text="<sub idref="login_banner_text"/>"

# Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Expand the login_banner_text value - there was a regular-expression
# matching various banners, needs to be expanded
banner_expanded=$(echo "$login_banner_text" | sed 's/\[\\s\\n\][*+]/ /g;s/\\//g;')

# Set the text shown by the GNOME Display Manager in the login screen
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type string \
            --set /apps/gdm/simple-greeter/banner_message_text "${banner_expanded}"
</fix>
    <fix rule="gconf_gdm_disable_user_list" complexity="low" disruption="low" reboot="false" strategy="disable"># Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Disable displaying of all known system users in the GNOME Display Manager's
# login screen
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type bool \
            --set /apps/gdm/simple-greeter/disable_user_list true
</fix>
    <fix rule="audit_rules_dac_modification_removexattr" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="accounts_maximum_age_login_defs" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_maximum_age_login_defs="<sub idref="var_accounts_maximum_age_login_defs"/>"

grep -q ^PASS_MAX_DAYS /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" &gt;&gt; /etc/login.defs
fi
</fix>
    <fix rule="audit_rules_time_stime" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_rhel6_perform_audit_adjtimex_settimeofday_stime_remediation"/>
rhel6_perform_audit_adjtimex_settimeofday_stime_remediation
</fix>
    <fix rule="accounts_password_pam_ocredit" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_ocredit="<sub idref="var_password_pam_ocredit"/>"

if grep -q "ocredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(ocredit *= *\).*/\1$var_password_pam_ocredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ ocredit=$var_password_pam_ocredit/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="network_disable_zeroconf" complexity="low" disruption="low" reboot="false" strategy="disable">echo "NOZEROCONF=yes" &gt;&gt; /etc/sysconfig/network
</fix>
    <fix rule="sshd_use_approved_ciphers" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^Ciphers /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" &gt;&gt; /etc/ssh/sshd_config
fi
</fix>
    <fix rule="audit_rules_dac_modification_lchown" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="banner_etc_issue" complexity="low" disruption="low" reboot="false" strategy="disable">
login_banner_text="<sub idref="login_banner_text"/>"

# There was a regular-expression matching various banners, needs to be expanded
expanded=$(echo "$login_banner_text" | sed 's/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g')
formatted=$(echo "$expanded" | fold -sw 80)

cat &lt;&lt;EOF &gt;/etc/issue
$formatted
EOF

printf "\n" &gt;&gt; /etc/issue
</fix>
    <fix rule="audit_rules_session_events" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session"
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session"
</fix>
    <fix rule="display_login_attempts" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i --follow-symlinks '/pam_limits.so/a session\t    required\t  pam_lastlog.so showfailed' /etc/pam.d/system-auth
</fix>
    <fix rule="accounts_password_pam_dcredit" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_dcredit="<sub idref="var_password_pam_dcredit"/>"

if grep -q "dcredit=" /etc/pam.d/system-auth; then
	sed -i --follow-symlinks "s/\(dcredit *= *\).*/\1$var_password_pam_dcredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ dcredit=$var_password_pam_dcredit/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="accounts_password_pam_minlen" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_minlen="<sub idref="var_password_pam_minlen"/>"

if grep -q "minlen=" /etc/pam.d/system-auth
then
	sed -i --follow-symlinks "s/\(minlen *= *\).*/\1$var_password_pam_minlen/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ minlen=$var_password_pam_minlen/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="audit_rules_dac_modification_fchmodat" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="chmod"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="audit_rules_dac_modification_lremovexattr" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="audit_rules_usergroup_modification" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
</fix>
    <fix rule="sshd_enable_warning_banner" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^Banner /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Banner /etc/issue" &gt;&gt; /etc/ssh/sshd_config
fi
</fix>
    <fix rule="audit_rules_kernel_module_loading" complexity="low" disruption="low" reboot="false" strategy="disable">

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =&gt;
#       it's not required on a 64-bit system to check also for the presence
#       of 32-bit's equivalent of the corresponding rule. Therefore for
#       each system it's enought to check presence of system's native rule form.
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
	# Use escaped BRE regex to specify rule group
	GROUP="\(init\|delete\)_module"
	FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -k modules"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

# Then perform the remediations for the watch rules
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/sbin/insmod" "x" "modules"
fix_audit_watch_rule "auditctl" "/sbin/rmmod" "x" "modules"
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/sbin/modprobe" "x" "modules"
</fix>
    <fix rule="disable_prelink" complexity="low" disruption="low" reboot="false" strategy="disable">#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
  echo -e "\n# Set PRELINKING=no per security requirements" &gt;&gt; /etc/sysconfig/prelink
  echo "PRELINKING=no" &gt;&gt; /etc/sysconfig/prelink
fi

#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
</fix>
    <fix rule="smartcard_auth" complexity="low" disruption="low" reboot="false" strategy="disable">

# Install required packages
yum -y install esc
yum -y install pam_pkcs11

# Enable pcscd service
<sub idref="function_service_command"/>
service_command enable pcscd

# Configure the expected /etc/pam.d/system-auth{,-ac} settings directly
#
# The code below will configure system authentication in the way smart card
# logins will be enabled, but also user login(s) via other method to be allowed
#
# NOTE: In contrast to Red Hat Enterprise Linux 7 version of this remediation
#       script (based on the testing) it does NOT seem to be possible to use
#       the 'authconfig' command to perform the remediation for us. Because:
#
#       * calling '/usr/sbin/authconfig --enablesmartcard --update'
#	  does not update all the necessary files, while
#
#	* calling '/usr/sbin/authconfig --enablesmartcard --updateall'
#	  discards the necessary changes on /etc/pam_pkcs11/pam_pkcs11.conf
#	  performed subsequently below
#
#	Therefore we configure /etc/pam.d/system-auth{,-ac} settings directly.
#

# Define system-auth config location
SYSTEM_AUTH_CONF="/etc/pam.d/system-auth"
# Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF
PAM_ENV_SO="auth.*required.*pam_env.so"

# Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF
SYSTEM_AUTH_PAM_SUCCEED="\
auth        \[success=1 default=ignore\] pam_succeed_if.so service notin \
login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid"
# Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED
# row into SYSTEM_AUTH_CONF file
SYSTEM_AUTH_PAM_PKCS11="\
auth        \[success=done authinfo_unavail=ignore ignore=ignore default=die\] \
pam_pkcs11.so card_only"

# Define smartcard-auth config location
SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth"
# Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF
SMARTCARD_AUTH_SECTION="\
auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only"
# Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF
PAM_PERMIT_SO="account.*required.*pam_permit.so"
# Define 'pam_pkcs11.so' password section
SMARTCARD_PASSWORD_SECTION="\
password    required      pam_pkcs11.so"

# First Correct the SYSTEM_AUTH_CONF configuration
if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF"
then
	# Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file
	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SYSTEM_AUTH_PAM_SUCCEED" "$SYSTEM_AUTH_CONF"
	# Append (expected) pam_pkcs11.so row past the pam_succeed_if.so into SYSTEM_AUTH_CONF file
	sed -i --follow-symlinks -e '/^'"$SYSTEM_AUTH_PAM_SUCCEED"'/a '"$SYSTEM_AUTH_PAM_PKCS11" "$SYSTEM_AUTH_CONF"
fi

# Then also correct the SMARTCARD_AUTH_CONF
if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
then
	# Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file
	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
	# Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file
	sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
fi

# Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below
# Define selected constants for later reuse
SP="[:space:]"
PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf"

# Ensure OCSP is turned on in $PAM_PKCS11_CONF
# 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration
# On Red Hat Enterprise Linux 6 a space isn't required between 'cert_policy' key and value assignment !!!
sed -i "s/^[$SP]*cert_policy=none;/    cert_policy=ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF"

# 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line,
# which does not contain it yet
# On Red Hat Enterprise Linux 6 a space isn't required between 'cert_policy' key and value assignment !!!
sed -i "/ocsp_on/! s/^[$SP]*cert_policy=\(.*\);/    cert_policy=\1, ocsp_on;/" "$PAM_PKCS11_CONF"
</fix>
    <fix rule="audit_rules_media_export" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="mount"
	FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="accounts_umask_etc_cshrc" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_user_umask="<sub idref="var_accounts_user_umask"/>"

grep -q umask /etc/csh.cshrc &amp;&amp; \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" &gt;&gt; /etc/csh.cshrc
fi
</fix>
    <fix rule="audit_rules_dac_modification_chown" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="disable_interactive_boot" complexity="low" disruption="low" reboot="false" strategy="disable">
# Ensure value of PROMPT key in /etc/sysconfig/init is set to 'no'
grep -q ^PROMPT /etc/sysconfig/init &amp;&amp; \
  sed -i "s/PROMPT.*/PROMPT=no/g" /etc/sysconfig/init
if ! [ $? -eq 0 ]; then
    echo "PROMPT=no" &gt;&gt; /etc/sysconfig/init
fi

# Ensure 'confirm' kernel boot argument is not present in some of
# kernel lines in /etc/grub.conf
sed -i --follow-symlinks "s/confirm//gI" /etc/grub.conf
</fix>
    <fix rule="audit_rules_time_adjtimex" complexity="low" disruption="low" reboot="false" strategy="disable">
<sub idref="function_rhel6_perform_audit_adjtimex_settimeofday_stime_remediation"/>
rhel6_perform_audit_adjtimex_settimeofday_stime_remediation
</fix>
    <fix rule="gconf_gnome_screensaver_lock_enabled" complexity="low" disruption="low" reboot="false" strategy="disable"># Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the screensaver locking activation in the GNOME desktop when the
# screensaver is activated
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type bool \
            --set /apps/gnome-screensaver/lock_enabled true
</fix>
    <fix rule="accounts_password_pam_ucredit" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_ucredit="<sub idref="var_password_pam_ucredit"/>"

if grep -q "ucredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(ucredit *= *\).*/\1$var_password_pam_ucredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ ucredit=$var_password_pam_ucredit/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="groupowner_shadow_file" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/shadow
</fix>
    <fix rule="mount_option_nodev_nonroot_local_partitions" complexity="low" disruption="low" reboot="false" strategy="disable">
# NOTE: Run-time reconfiguration of partitions' mount options is not possible.
# After performing this remediation be sure to also subsequently reboot the
# system as soon as possible for the remediation to take the effect!

# Shortened ID for frequently used character class
SP="[:space:]"

# Load /etc/fstab's content with LABEL= and UUID= tags expanded to real
# device names into FSTAB_REAL_DEVICES array splitting items by newline
IFS=$'\n' FSTAB_REAL_DEVICES=($(findmnt --fstab --evaluate --noheadings))

for line in ${FSTAB_REAL_DEVICES[@]}
do
    # For each line:
    # * squeeze multiple space characters into one,
    # * split line content info four columns (target, source, fstype, and
    #   mount options) by space delimiter
    IFS=$' ' read TARGET SOURCE FSTYPE MOUNT_OPTIONS &lt;&lt;&lt; "$(echo $line | tr -s ' ')"

    # Filter the targets according to the following criteria:
    # * don't include record for root partition,
    # * include the target only if it has the form of '/word.*' (not to include
    #   special entries like e.g swap),
    # * include the target only if its source has the form of '/dev.*'
    #   (to process only local partitions)
    if [[ ! $TARGET =~ ^\/$ ]] 		&amp;&amp;	# Don't include root partition
       [[ $TARGET =~ ^\/[A-Za-z0-9_] ]] &amp;&amp;	# Include if target =~ '/word.*'
       [[ $SOURCE =~ ^\/dev ]]			# Include if source =~ '/dev.*'
    then

        # Check the mount options column if it doesn't contain 'nodev' keyword yet
        if ! grep -q "nodev" &lt;&lt;&lt; "$MOUNT_OPTIONS"
        then
            # Check if current mount options is empty string ('') meaning
            # particular /etc/fstab row contain just 'defaults' keyword
            if [[ ${#MOUNT_OPTIONS} == "0" ]]
            then
                # If so, add 'defaults' back and append 'nodev' keyword
                MOUNT_OPTIONS="defaults,nodev"
            else
                # Otherwise append just 'nodev' keyword
                MOUNT_OPTIONS="$MOUNT_OPTIONS,nodev"
            fi

            # Escape possible slash ('/') characters in target for use as sed
            # expression below
            TARGET_ESCAPED=${TARGET//$'/'/$'\/'}
            # This target doesn't contain 'nodev' in mount options yet (and meets
            # the above filtering criteria). Therefore obtain particular /etc/fstab's
            # row into FSTAB_TARGET_ROW variable separating the mount options field with
            # hash '#' character
            FSTAB_TARGET_ROW=$(sed -n "s/\(.*$TARGET_ESCAPED[$SP]\+$FSTYPE[$SP]\+\)\([^$SP]\+\)/\1#\2#/p" /etc/fstab)
            # Split the retrieved value by the hash '#' delimiter to get the
            # row's head &amp; tail (i.e. columns other than mount options) which won't
            # get modified
            IFS=$'#' read TARGET_HEAD TARGET_OPTS TARGET_TAIL &lt;&lt;&lt; "$FSTAB_TARGET_ROW"
            # Replace old mount options for particular /etc/fstab's row (for this target
            # and fstype) with new mount options
            sed -i "s#${TARGET_HEAD}\(.*\)${TARGET_TAIL}#${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}#" /etc/fstab

        fi
    fi
done
</fix>
    <fix rule="disable_users_coredumps" complexity="low" disruption="low" reboot="false" strategy="disable">echo "*     hard   core    0" &gt;&gt; /etc/security/limits.conf
</fix>
    <fix rule="file_permissions_library_dirs" complexity="low" disruption="low" reboot="false" strategy="disable">DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
	find $dirPath -perm /022 -type f -exec chmod go-w '{}' \;
done
</fix>
    <fix rule="enable_selinux_bootloader" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i --follow-symlinks "s/selinux=0//gI" /etc/grub.conf
sed -i --follow-symlinks "s/enforcing=0//gI" /etc/grub.conf
</fix>
    <fix rule="audit_rules_login_events" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins"
fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins"
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins"
</fix>
    <fix rule="gconf_gnome_screensaver_mode_blank" complexity="low" disruption="low" reboot="false" strategy="disable"># Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the screensaver mode in the GNOME desktop to a blank screen
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type string \
            --set /apps/gnome-screensaver/mode blank-only
</fix>
    <fix rule="file_user_owner_grub_conf" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/grub.conf
</fix>
    <fix rule="accounts_no_uid_except_zero" complexity="low" disruption="low" reboot="false" strategy="disable">awk -F: '$3 == 0 &amp;&amp; $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l
</fix>
    <fix rule="kernel_module_ipv6_option_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">
# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack
echo "options ipv6 disable=1" &gt; /etc/modprobe.d/ipv6.conf

# Since according to: https://access.redhat.com/solutions/72733
# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from
# loading, instruct also sysctl configuration to disable IPv6 according to:
# https://access.redhat.com/solutions/8709#rhel6disable

declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6")

for setting in ${IPV6_SETTINGS[@]}
do
	# Set runtime =1 for setting
	/sbin/sysctl -q -n -w "$setting=1"

	# If setting is present in /etc/sysctl.conf, change value to "1"
	# else, add "$setting = 1" to /etc/sysctl.conf
	if grep -q ^"$setting" /etc/sysctl.conf ; then
		sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf
	else
		echo "" &gt;&gt; /etc/sysctl.conf
		echo "# Set $setting = 1 per security requirements" &gt;&gt; /etc/sysctl.conf
		echo "$setting = 1" &gt;&gt; /etc/sysctl.conf
	fi
done
</fix>
    <fix rule="accounts_password_pam_minclass" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_minclass="<sub idref="var_password_pam_minclass"/>"

grep -q minclass /etc/pam.d/system-auth
if [ $? = "0" ]; then
    sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-$var_password_pam_minclass]/minclass=$var_password_pam_minclass/" /etc/pam.d/system-auth
else
    sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=$var_password_pam_minclass /" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="mount_option_dev_shm_nosuid" complexity="low" disruption="low" reboot="false" strategy="disable">
# Load /etc/fstab's /dev/shm row into DEV_SHM_FSTAB variable separating start &amp;
# end of the filesystem mount options (4-th field) with the '#' character
DEV_SHM_FSTAB=$(sed -n "s/\(.*[[:space:]]\+\/dev\/shm[[:space:]]\+tmpfs[[:space:]]\+\)\([^[:space:]]\+\)/\1#\2#/p" /etc/fstab)

#Rest of script can trash /etc/fstab if $DEV_SHM_FSTAB is empty, check before continuing.
echo $DEV_SHM_FSTAB | grep -q -P '/dev/shm'
if [ $? -eq 0 ]; then
	# Save the:
	# * 1-th, 2-nd, 3-rd fields into DEV_SHM_HEAD variable
	# * 4-th field into DEV_SHM_OPTS variable, and
	# * 5-th, and 6-th fields into DEV_SHM_TAIL variable
	# splitting DEV_SHM_FSTAB variable value based on the '#' separator
	IFS='#' read DEV_SHM_HEAD DEV_SHM_OPTS DEV_SHM_TAIL &lt;&lt;&lt; "$DEV_SHM_FSTAB"

	# Replace occurrence of 'defaults' key with the actual list of mount options
	# for Red Hat Enterprise Linux 6
	DEV_SHM_OPTS=${DEV_SHM_OPTS//defaults/rw,suid,dev,exec,auto,nouser,async,relatime}

	# 'suid' option (not prefixed with 'no') present in the list?
	echo $DEV_SHM_OPTS | grep -q -P '(?&lt;!no)suid'
	if [ $? -eq 0 ]
	then
	        # 'suid' option found, replace with 'nosuid'
	        DEV_SHM_OPTS=${DEV_SHM_OPTS//suid/nosuid}
	fi

	# at least one 'nosuid' present in the options list?
	echo $DEV_SHM_OPTS | grep -q -v 'nosuid'
	if [ $? -eq 0 ]
	then
	        # 'nosuid' not found yet, append it
	        DEV_SHM_OPTS="$DEV_SHM_OPTS,nosuid"
	fi

	# DEV_SHM_OPTS now contains final list of mount options. Replace original form of /dev/shm row
	# in /etc/fstab with the corrected version
	sed -i "s#${DEV_SHM_HEAD}\(.*\)${DEV_SHM_TAIL}#${DEV_SHM_HEAD}${DEV_SHM_OPTS}${DEV_SHM_TAIL}#" /etc/fstab
fi
</fix>
    <fix rule="gconf_gnome_screensaver_idle_activation_enabled" complexity="low" disruption="low" reboot="false" strategy="disable"># Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the screensaver activation in the GNOME desktop after a period of inactivity
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type bool \
            --set /apps/gnome-screensaver/idle_activation_enabled true
</fix>
    <fix rule="file_permissions_grub_conf" complexity="low" disruption="low" reboot="false" strategy="disable">chmod 600 /boot/grub/grub.conf
</fix>
    <fix rule="audit_rules_dac_modification_fsetxattr" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="accounts_password_pam_lcredit" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_lcredit="<sub idref="var_password_pam_lcredit"/>"

if grep -q "lcredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(lcredit *= *\).*/\1$var_password_pam_lcredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ lcredit=$var_password_pam_lcredit/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="audit_rules_immutable" complexity="low" disruption="low" reboot="false" strategy="disable">
readonly AUDIT_RULES='/etc/audit/audit.rules'

# If '-e .*' setting present in audit.rules already, delete it since the
# auditctl(8) manual page instructs it should be the last rule in configuration
sed -i '/-e[[:space:]]\+.*/d' $AUDIT_RULES

# Append '-e 2' requirement at the end of audit.rules
echo '' &gt;&gt; $AUDIT_RULES
echo '# Set the audit.rules configuration immutable per security requirements' &gt;&gt; $AUDIT_RULES
echo '# Reboot is required to change audit rules once this setting is applied' &gt;&gt; $AUDIT_RULES
echo '-e 2' &gt;&gt; $AUDIT_RULES
</fix>
    <fix rule="audit_rules_networkconfig_modification" complexity="low" disruption="low" reboot="false" strategy="disable">

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
	# Use escaped BRE regex to specify rule group
	GROUP="set\(host\|domain\)name"
	FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

# Then perform the remediations for the watch rules
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification"
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"
</fix>
    <fix rule="kernel_disable_entropy_contribution_for_solid_state_drives" complexity="low" disruption="low" reboot="false" strategy="disable">
# First obtain the list of block devices present on system into array
#
# Used lsblk options:
# -o NAME	Display only block device name
# -a		Display all devices (including empty ones) in the list
# -d		Don't print device holders or slaves information
# -n		Suppress printing of introductory heading line in the list
SYSTEM_BLOCK_DEVICES=($(/bin/lsblk -o NAME -a -d -n))

# For each SSD block device from that list
# (device where /sys/block/DEVICE/queue/rotation == 0)
for BLOCK_DEVICE in "${SYSTEM_BLOCK_DEVICES[@]}"
do
	# Verify the block device is SSD
	if grep -q "0" /sys/block/${BLOCK_DEVICE}/queue/rotational
	then
		# If particular SSD is configured to contribute to
		# random-number entropy pool, disable it
		if grep -q "1" /sys/block/${BLOCK_DEVICE}/queue/add_random
		then
			echo "0" &gt; /sys/block/${BLOCK_DEVICE}/queue/add_random
		fi
	fi
done
</fix>
    <fix rule="auditd_data_retention_admin_space_left_action" complexity="low" disruption="low" reboot="false" strategy="disable">
var_auditd_admin_space_left_action="<sub idref="var_auditd_admin_space_left_action"/>"

grep -q ^admin_space_left_action /etc/audit/auditd.conf &amp;&amp; \
  sed -i "s/admin_space_left_action.*/admin_space_left_action = $var_auditd_admin_space_left_action/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
    echo "admin_space_left_action = $var_auditd_admin_space_left_action" &gt;&gt; /etc/audit/auditd.conf
fi
</fix>
    <fix rule="sshd_do_not_permit_user_env" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^PermitUserEnvironment /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "PermitUserEnvironment no" &gt;&gt; /etc/ssh/sshd_config
fi
</fix>
    <fix rule="accounts_umask_etc_login_defs" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_user_umask="<sub idref="var_accounts_user_umask"/>"

grep -q UMASK /etc/login.defs &amp;&amp; \
  sed -i "s/UMASK.*/UMASK $var_accounts_user_umask/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "UMASK $var_accounts_user_umask" &gt;&gt; /etc/login.defs
fi
</fix>
    <fix rule="mount_option_dev_shm_noexec" complexity="low" disruption="low" reboot="false" strategy="disable">
# Load /etc/fstab's /dev/shm row into DEV_SHM_FSTAB variable separating start &amp;
# end of the filesystem mount options (4-th field) with the '#' character
DEV_SHM_FSTAB=$(sed -n "s/\(.*[[:space:]]\+\/dev\/shm[[:space:]]\+tmpfs[[:space:]]\+\)\([^[:space:]]\+\)/\1#\2#/p" /etc/fstab)

#Rest of script can trash /etc/fstab if $DEV_SHM_FSTAB is empty, check before continuing.
echo $DEV_SHM_FSTAB | grep -q -P '/dev/shm'
if [ $? -eq 0 ]; then
	# Save the:
	# * 1-th, 2-nd, 3-rd fields into DEV_SHM_HEAD variable
	# * 4-th field into DEV_SHM_OPTS variable, and
	# * 5-th, and 6-th fields into DEV_SHM_TAIL variable
	# splitting DEV_SHM_FSTAB variable value based on the '#' separator
	IFS='#' read DEV_SHM_HEAD DEV_SHM_OPTS DEV_SHM_TAIL &lt;&lt;&lt; "$DEV_SHM_FSTAB"

	# Replace occurrence of 'defaults' key with the actual list of mount options
	# for Red Hat Enterprise Linux 6
	DEV_SHM_OPTS=${DEV_SHM_OPTS//defaults/rw,suid,dev,exec,auto,nouser,async,relatime}

	# 'exec' option (not prefixed with 'no') present in the list?
	echo $DEV_SHM_OPTS | grep -q -P '(?&lt;!no)exec'
	if [ $? -eq 0 ]
	then
	        # 'exec' option found, replace with 'noexec'
	        DEV_SHM_OPTS=${DEV_SHM_OPTS//exec/noexec}
	fi

	# at least one 'noexec' present in the options list?
	echo $DEV_SHM_OPTS | grep -q -v 'noexec'
	if [ $? -eq 0 ]
	then
	        # 'noexec' not found yet, append it
	        DEV_SHM_OPTS="$DEV_SHM_OPTS,noexec"
	fi

	# DEV_SHM_OPTS now contains final list of mount options. Replace original form of /dev/shm row
	# in /etc/fstab with the corrected version
	sed -i "s#${DEV_SHM_HEAD}\(.*\)${DEV_SHM_TAIL}#${DEV_SHM_HEAD}${DEV_SHM_OPTS}${DEV_SHM_TAIL}#" /etc/fstab

fi
</fix>
    <fix rule="audit_rules_time_clock_settime" complexity="low" disruption="low" reboot="false" strategy="disable">

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*"
	GROUP="clock_settime"
	FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="file_ownership_library_dirs" complexity="low" disruption="low" reboot="false" strategy="disable">for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
do
  if [ -d $LIBDIR ]
  then
    find -L $LIBDIR \! -user root -exec chown root {} \; 
  fi
done
</fix>
    <fix rule="mount_option_dev_shm_nodev" complexity="low" disruption="low" reboot="false" strategy="disable">
# Load /etc/fstab's /dev/shm row into DEV_SHM_FSTAB variable separating start &amp;
# end of the filesystem mount options (4-th field) with the '#' character
DEV_SHM_FSTAB=$(sed -n "s/\(.*[[:space:]]\+\/dev\/shm[[:space:]]\+tmpfs[[:space:]]\+\)\([^[:space:]]\+\)/\1#\2#/p" /etc/fstab)

#Rest of script can trash /etc/fstab if $DEV_SHM_FSTAB is empty, check before continuing.
echo $DEV_SHM_FSTAB | grep -q -P '/dev/shm'
if [ $? -eq 0 ]; then
	# Save the:
	# * 1-th, 2-nd, 3-rd fields into DEV_SHM_HEAD variable
	# * 4-th field into DEV_SHM_OPTS variable, and
	# * 5-th, and 6-th fields into DEV_SHM_TAIL variable
	# splitting DEV_SHM_FSTAB variable value based on the '#' separator
	IFS='#' read DEV_SHM_HEAD DEV_SHM_OPTS DEV_SHM_TAIL &lt;&lt;&lt; "$DEV_SHM_FSTAB"

	# Replace occurrence of 'defaults' key with the actual list of mount options
	# for Red Hat Enterprise Linux 6
	DEV_SHM_OPTS=${DEV_SHM_OPTS//defaults/rw,suid,dev,exec,auto,nouser,async,relatime}

	# 'dev' option (not prefixed with 'no') present in the list?
	echo $DEV_SHM_OPTS | grep -q -P '(?&lt;!no)dev'
	if [ $? -eq 0 ]
	then
	        # 'dev' option found, replace with 'nodev'
	        DEV_SHM_OPTS=${DEV_SHM_OPTS//dev/nodev}
	fi

	# at least one 'nodev' present in the options list?
	echo $DEV_SHM_OPTS | grep -q -v 'nodev'
	if [ $? -eq 0 ]
	then
	        # 'nodev' not found yet, append it
	        DEV_SHM_OPTS="$DEV_SHM_OPTS,nodev"
	fi

	# DEV_SHM_OPTS now contains final list of mount options. Replace original form of /dev/shm row
	# in /etc/fstab with the corrected version
	sed -i "s#${DEV_SHM_HEAD}\(.*\)${DEV_SHM_TAIL}#${DEV_SHM_HEAD}${DEV_SHM_OPTS}${DEV_SHM_TAIL}#" /etc/fstab
fi
</fix>
    <fix rule="network_ipv6_disable_rpc" complexity="low" disruption="low" reboot="false" strategy="disable">
# Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC
# services for NFSv4 from attempting to start IPv6 network listeners
declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6")

for rpc_entry in ${IPV6_RPC_ENTRIES[@]}
do
	sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
done
</fix>
    <fix rule="gconf_gdm_enable_warning_gui_banner" complexity="low" disruption="low" reboot="false" strategy="disable"># Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Enable displaying of a login warning banner in the GNOME Display Manager's
# login screen
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type bool \
            --set /apps/gdm/simple-greeter/banner_message_enable true
</fix>
    <fix rule="require_singleuser_auth" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^SINGLE /etc/sysconfig/init &amp;&amp; \
  sed -i "s/SINGLE.*/SINGLE=\/sbin\/sulogin/g" /etc/sysconfig/init
if ! [ $? -eq 0 ]; then
    echo "SINGLE=/sbin/sulogin" &gt;&gt; /etc/sysconfig/init
fi
</fix>
    <fix rule="audit_rules_time_watch_localtime" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
</fix>
    <fix rule="accounts_password_minlen_login_defs" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_password_minlen_login_defs="<sub idref="var_accounts_password_minlen_login_defs"/>"

grep -q ^PASS_MIN_LEN /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN     $var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_LEN      $var_accounts_password_minlen_login_defs" &gt;&gt; /etc/login.defs
fi
</fix>
    <fix rule="audit_rules_dac_modification_lsetxattr" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="audit_rules_sysadmin_actions" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
</fix>
    <fix rule="userowner_shadow_file" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/shadow
</fix>
    <fix rule="accounts_password_pam_maxrepeat" complexity="low" disruption="low" reboot="false" strategy="disable">
var_password_pam_maxrepeat="<sub idref="var_password_pam_maxrepeat"/>"

if grep -q "maxrepeat=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(maxrepeat *= *\).*/\1$var_password_pam_maxrepeat/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ maxrepeat=$var_password_pam_maxrepeat/" /etc/pam.d/system-auth
fi
</fix>
    <fix rule="audit_rules_dac_modification_fchmod" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="chmod"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="accounts_password_warn_age_login_defs" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_password_warn_age_login_defs="<sub idref="var_accounts_password_warn_age_login_defs"/>"

grep -q ^PASS_WARN_AGE /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE     $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_WARN_AGE      $var_accounts_password_warn_age_login_defs" &gt;&gt; /etc/login.defs
fi
</fix>
    <fix rule="umask_for_daemons" complexity="low" disruption="low" reboot="false" strategy="disable">
var_umask_for_daemons="<sub idref="var_umask_for_daemons"/>"

grep -q ^umask /etc/init.d/functions &amp;&amp; \
  sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions
if ! [ $? -eq 0 ]; then
    echo "umask $var_umask_for_daemons" &gt;&gt; /etc/init.d/functions
fi
</fix>
    <fix rule="file_group_owner_grub_conf" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/grub.conf
</fix>
    <fix rule="audit_rules_privileged_commands" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation
<sub idref="function_perform_audit_rules_privileged_commands_remediation"/>
perform_audit_rules_privileged_commands_remediation "auditctl" "500"
</fix>
    <fix rule="audit_rules_mac_modification" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation
<sub idref="function_fix_audit_watch_rule"/>
fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy"
</fix>
    <fix rule="accounts_umask_etc_profile" complexity="low" disruption="low" reboot="false" strategy="disable">
var_accounts_user_umask="<sub idref="var_accounts_user_umask"/>"

grep -q umask /etc/profile &amp;&amp; \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" &gt;&gt; /etc/profile
fi
</fix>
    <fix rule="audit_rules_dac_modification_fchown" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
    <fix rule="audit_rules_unsuccessful_file_modification" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do

	# First fix the -EACCES requirement
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k *"
	# Use escaped BRE regex to specify rule group
	GROUP="\(creat\|open\|truncate\)"
	FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

	# Then fix the -EPERM requirement
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k *"
	# No need to change content of $GROUP variable - it's the same as for -EACCES case above
	FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

done
</fix>
    <fix rule="account_disable_post_pw_expiration" complexity="low" disruption="low" reboot="false" strategy="disable">
var_account_disable_post_pw_expiration="<sub idref="var_account_disable_post_pw_expiration"/>"

grep -q ^INACTIVE /etc/default/useradd &amp;&amp; \
  sed -i "s/INACTIVE.*/INACTIVE=$var_account_disable_post_pw_expiration/g" /etc/default/useradd
if ! [ $? -eq 0 ]; then
    echo "INACTIVE=$var_account_disable_post_pw_expiration" &gt;&gt; /etc/default/useradd
fi
</fix>
    <fix rule="disable_ctrlaltdel_reboot" complexity="low" disruption="low" reboot="false" strategy="disable"># If system does not contain control-alt-delete.override,
if [ ! -f /etc/init/control-alt-delete.override ]; then

	# but does have control-alt-delete.conf file,
	if [ -f /etc/init/control-alt-delete.conf ]; then

		# then copy .conf to .override to maintain persistency
		cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.override
	fi
fi
 
sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override
</fix>
    <fix rule="audit_rules_dac_modification_chmod" complexity="low" disruption="low" reboot="false" strategy="disable">

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k *"
	GROUP="chmod"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod"
<sub idref="function_fix_audit_syscall_rule"/>
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</fix>
  </fix-group>
</fix-content>