From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 13:30:24 +0200
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins

---
 .../root_logins/no_direct_root_logins/ansible/shared.yml    | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
index e9a29a24d5..6fbb7c72a5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
@@ -3,13 +3,9 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: Test for existence of /etc/securetty
-  stat:
-    path: /etc/securetty
-  register: securetty_empty
+
 
 - name: "Direct root Logins Not Allowed"
   copy:
     dest: /etc/securetty
     content: ""
-  when: securetty_empty.stat.size > 1

From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:21:38 +0200
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8

---
 shared/templates/template_ANSIBLE_sebool | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
index 29f37081be..38d7c7c350 100644
--- a/shared/templates/template_ANSIBLE_sebool
+++ b/shared/templates/template_ANSIBLE_sebool
@@ -13,11 +13,17 @@
 {{% else %}}
 - (xccdf-var var_{{{ SEBOOLID }}})
 
+{{% if product == "rhel8" %}}
+- name: Ensure python3-libsemanage installed
+  package:
+    name: python3-libsemanage
+    state: present
+{{% else %}}
 - name: Ensure libsemanage-python installed
   package:
     name: libsemanage-python
     state: present
-
+{{% endif %}}
 - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
   seboolean:
     name: {{{ SEBOOLID }}}

From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:57:05 +0200
Subject: [PATCH 3/3] add tests for no_direct_root_logins

---
 .../root_logins/no_direct_root_logins/tests/correct.pass.sh    | 3 +++
 .../root_logins/no_direct_root_logins/tests/missing.fail.sh    | 3 +++
 .../root_logins/no_direct_root_logins/tests/wrong.fail.sh      | 3 +++
 3 files changed, 9 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
new file mode 100644
index 0000000000..17251f6a98
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo > /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
new file mode 100644
index 0000000000..c764814b26
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
new file mode 100644
index 0000000000..43ac341e87
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "something" > /etc/securetty