Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add systemd check if it is running for systemctl start commands #12918

Merged
merged 2 commits into from
Jan 29, 2025
Merged

Add systemd check if it is running for systemctl start commands #12918

merged 2 commits into from
Jan 29, 2025

Conversation

teacup-on-rockingchair
Copy link
Contributor

Description:

  • In case of running remediation on offline system (i.e. image in chroot or virt-customize --domain etc setup) we can still apply remediation, by changing the configuration and thus preparing the image remediated

Rationale:

@github-actions GitHub Actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nails_enabled
+++ xccdf_org.ssgproject.content_rule_service_nails_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'nails.service'
-"$SYSTEMCTL_EXEC" start 'nails.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'nails.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'nails.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled' differs.
--- xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
+++ xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'tmp.mount'
-"$SYSTEMCTL_EXEC" start 'tmp.mount'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'tmp.mount'
+fi
 "$SYSTEMCTL_EXEC" enable 'tmp.mount'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled' differs.
--- xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled
+++ xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled
@@ -2,7 +2,9 @@
 if ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'dnf-automatic.timer'
+fi
 "$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
+++ xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'debug-shell.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'debug-shell.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'debug-shell.service'
 "$SYSTEMCTL_EXEC" mask 'debug-shell.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files debug-shell.socket; then
-    "$SYSTEMCTL_EXEC" stop 'debug-shell.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'debug-shell.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'debug-shell.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_pcscd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_pcscd_enabled
+++ xccdf_org.ssgproject.content_rule_service_pcscd_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'pcscd.service'
-"$SYSTEMCTL_EXEC" start 'pcscd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'pcscd.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'pcscd.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
+++ xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'rsyslog.service'
-"$SYSTEMCTL_EXEC" start 'rsyslog.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'rsyslog.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'rsyslog.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled
+++ xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'systemd-journald.service'
-"$SYSTEMCTL_EXEC" start 'systemd-journald.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'systemd-journald.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'systemd-journald.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled' differs.
--- xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled
+++ xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled
@@ -5,7 +5,9 @@
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 
 if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then
-    "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
+    fi
     "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_timer_logrotate_enabled' differs.
--- xccdf_org.ssgproject.content_rule_timer_logrotate_enabled
+++ xccdf_org.ssgproject.content_rule_timer_logrotate_enabled
@@ -2,7 +2,9 @@
 if rpm --quiet -q kernel && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && rpm --quiet -q logrotate ); }; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" start 'logrotate.timer'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'logrotate.timer'
+fi
 "$SYSTEMCTL_EXEC" enable 'logrotate.timer'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_syslogng_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_syslogng_enabled
+++ xccdf_org.ssgproject.content_rule_service_syslogng_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'syslog-ng.service'
-"$SYSTEMCTL_EXEC" start 'syslog-ng.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'syslog-ng.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'syslog-ng.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_firewalld_enabled
+++ xccdf_org.ssgproject.content_rule_service_firewalld_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'firewalld.service'
-"$SYSTEMCTL_EXEC" start 'firewalld.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'firewalld.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'firewalld.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
+++ xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'ip6tables.service'
-"$SYSTEMCTL_EXEC" start 'ip6tables.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'ip6tables.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'ip6tables.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'iptables.service'
-"$SYSTEMCTL_EXEC" start 'iptables.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'iptables.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'iptables.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nftables_enabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'nftables.service'
-"$SYSTEMCTL_EXEC" start 'nftables.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'nftables.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'nftables.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nftables_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nftables_disabled
+++ xccdf_org.ssgproject.content_rule_service_nftables_disabled
@@ -2,12 +2,16 @@
 if ( rpm --quiet -q firewalld && rpm --quiet -q nftables && rpm --quiet -q kernel ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'nftables.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'nftables.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'nftables.service'
 "$SYSTEMCTL_EXEC" mask 'nftables.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files nftables.socket; then
-    "$SYSTEMCTL_EXEC" stop 'nftables.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'nftables.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'nftables.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ufw_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ufw_enabled
+++ xccdf_org.ssgproject.content_rule_service_ufw_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'ufw.service'
-"$SYSTEMCTL_EXEC" start 'ufw.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'ufw.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'ufw.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_bluetooth_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'bluetooth.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'bluetooth.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'bluetooth.service'
 "$SYSTEMCTL_EXEC" mask 'bluetooth.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files bluetooth.socket; then
-    "$SYSTEMCTL_EXEC" stop 'bluetooth.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'bluetooth.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'bluetooth.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_autofs_disabled
+++ xccdf_org.ssgproject.content_rule_service_autofs_disabled
@@ -2,12 +2,16 @@
 if ( rpm --quiet -q autofs && rpm --quiet -q kernel ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'autofs.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'autofs.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'autofs.service'
 "$SYSTEMCTL_EXEC" mask 'autofs.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then
-    "$SYSTEMCTL_EXEC" stop 'autofs.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'autofs.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'autofs.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled
+++ xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled
@@ -5,7 +5,9 @@
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 
 if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then
-    "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
+    fi
     "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled
+++ xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled
@@ -2,12 +2,16 @@
 if ( rpm --quiet -q avahi && rpm --quiet -q kernel ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'avahi-daemon.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'avahi-daemon.service'
 "$SYSTEMCTL_EXEC" mask 'avahi-daemon.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files avahi-daemon.socket; then
-    "$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'avahi-daemon.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_psacct_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_psacct_enabled
+++ xccdf_org.ssgproject.content_rule_service_psacct_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'psacct.service'
-"$SYSTEMCTL_EXEC" start 'psacct.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'psacct.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'psacct.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_abrtd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_abrtd_disabled
+++ xccdf_org.ssgproject.content_rule_service_abrtd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'abrtd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'abrtd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'abrtd.service'
 "$SYSTEMCTL_EXEC" mask 'abrtd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files abrtd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'abrtd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'abrtd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'abrtd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_acpid_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_acpid_disabled
+++ xccdf_org.ssgproject.content_rule_service_acpid_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'acpid.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'acpid.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'acpid.service'
 "$SYSTEMCTL_EXEC" mask 'acpid.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files acpid.socket; then
-    "$SYSTEMCTL_EXEC" stop 'acpid.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'acpid.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'acpid.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_certmonger_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_certmonger_disabled
+++ xccdf_org.ssgproject.content_rule_service_certmonger_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'certmonger.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'certmonger.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'certmonger.service'
 "$SYSTEMCTL_EXEC" mask 'certmonger.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files certmonger.socket; then
-    "$SYSTEMCTL_EXEC" stop 'certmonger.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'certmonger.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'certmonger.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_cockpit_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_cockpit_disabled
+++ xccdf_org.ssgproject.content_rule_service_cockpit_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'cockpit.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'cockpit.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'cockpit.service'
 "$SYSTEMCTL_EXEC" mask 'cockpit.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files cockpit.socket; then
-    "$SYSTEMCTL_EXEC" stop 'cockpit.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'cockpit.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'cockpit.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_cpupower_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_cpupower_disabled
+++ xccdf_org.ssgproject.content_rule_service_cpupower_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'cpupower.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'cpupower.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'cpupower.service'
 "$SYSTEMCTL_EXEC" mask 'cpupower.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files cpupower.socket; then
-    "$SYSTEMCTL_EXEC" stop 'cpupower.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'cpupower.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'cpupower.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_kdump_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_kdump_disabled
+++ xccdf_org.ssgproject.content_rule_service_kdump_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'kdump.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'kdump.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'kdump.service'
 "$SYSTEMCTL_EXEC" mask 'kdump.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files kdump.socket; then
-    "$SYSTEMCTL_EXEC" stop 'kdump.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'kdump.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'kdump.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled
+++ xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'mdmonitor.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'mdmonitor.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'mdmonitor.service'
 "$SYSTEMCTL_EXEC" mask 'mdmonitor.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files mdmonitor.socket; then
-    "$SYSTEMCTL_EXEC" stop 'mdmonitor.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'mdmonitor.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'mdmonitor.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_netconsole_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_netconsole_disabled
+++ xccdf_org.ssgproject.content_rule_service_netconsole_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'netconsole.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'netconsole.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'netconsole.service'
 "$SYSTEMCTL_EXEC" mask 'netconsole.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files netconsole.socket; then
-    "$SYSTEMCTL_EXEC" stop 'netconsole.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'netconsole.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'netconsole.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntpdate_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ntpdate_disabled
+++ xccdf_org.ssgproject.content_rule_service_ntpdate_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'ntpdate.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'ntpdate.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'ntpdate.service'
 "$SYSTEMCTL_EXEC" mask 'ntpdate.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files ntpdate.socket; then
-    "$SYSTEMCTL_EXEC" stop 'ntpdate.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'ntpdate.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'ntpdate.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_oddjobd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_oddjobd_disabled
+++ xccdf_org.ssgproject.content_rule_service_oddjobd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'oddjobd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'oddjobd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'oddjobd.service'
 "$SYSTEMCTL_EXEC" mask 'oddjobd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files oddjobd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'oddjobd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'oddjobd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'oddjobd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_portreserve_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_portreserve_disabled
+++ xccdf_org.ssgproject.content_rule_service_portreserve_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'portreserve.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'portreserve.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'portreserve.service'
 "$SYSTEMCTL_EXEC" mask 'portreserve.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files portreserve.socket; then
-    "$SYSTEMCTL_EXEC" stop 'portreserve.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'portreserve.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'portreserve.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_qpidd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_qpidd_disabled
+++ xccdf_org.ssgproject.content_rule_service_qpidd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'qpidd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'qpidd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'qpidd.service'
 "$SYSTEMCTL_EXEC" mask 'qpidd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files qpidd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'qpidd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'qpidd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'qpidd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_quota_nld_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_quota_nld_disabled
+++ xccdf_org.ssgproject.content_rule_service_quota_nld_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'quota_nld.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'quota_nld.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'quota_nld.service'
 "$SYSTEMCTL_EXEC" mask 'quota_nld.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files quota_nld.socket; then
-    "$SYSTEMCTL_EXEC" stop 'quota_nld.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'quota_nld.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'quota_nld.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rdisc_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rdisc_disabled
+++ xccdf_org.ssgproject.content_rule_service_rdisc_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rdisc.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rdisc.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rdisc.service'
 "$SYSTEMCTL_EXEC" mask 'rdisc.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rdisc.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rdisc.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rdisc.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rdisc.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rhnsd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rhnsd_disabled
+++ xccdf_org.ssgproject.content_rule_service_rhnsd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rhnsd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rhnsd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rhnsd.service'
 "$SYSTEMCTL_EXEC" mask 'rhnsd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rhnsd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rhnsd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rhnsd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rhnsd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled
+++ xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rhsmcertd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rhsmcertd.service'
 "$SYSTEMCTL_EXEC" mask 'rhsmcertd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rhsmcertd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_saslauthd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_saslauthd_disabled
+++ xccdf_org.ssgproject.content_rule_service_saslauthd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'saslauthd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'saslauthd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'saslauthd.service'
 "$SYSTEMCTL_EXEC" mask 'saslauthd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files saslauthd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'saslauthd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'saslauthd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'saslauthd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_sysstat_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_sysstat_disabled
+++ xccdf_org.ssgproject.content_rule_service_sysstat_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'sysstat.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'sysstat.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'sysstat.service'
 "$SYSTEMCTL_EXEC" mask 'sysstat.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files sysstat.socket; then
-    "$SYSTEMCTL_EXEC" stop 'sysstat.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'sysstat.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'sysstat.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_cron_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_cron_enabled
+++ xccdf_org.ssgproject.content_rule_service_cron_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'crond.service'
-"$SYSTEMCTL_EXEC" start 'crond.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'crond.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'crond.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_crond_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_crond_enabled
+++ xccdf_org.ssgproject.content_rule_service_crond_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'crond.service'
-"$SYSTEMCTL_EXEC" start 'crond.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'crond.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'crond.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_atd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_atd_disabled
+++ xccdf_org.ssgproject.content_rule_service_atd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'atd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'atd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'atd.service'
 "$SYSTEMCTL_EXEC" mask 'atd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files atd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'atd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'atd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'atd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_dhcpd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_dhcpd_disabled
+++ xccdf_org.ssgproject.content_rule_service_dhcpd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'dhcpd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'dhcpd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'dhcpd.service'
 "$SYSTEMCTL_EXEC" mask 'dhcpd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files dhcpd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'dhcpd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'dhcpd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'dhcpd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_named_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_named_disabled
+++ xccdf_org.ssgproject.content_rule_service_named_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'named.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'named.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'named.service'
 "$SYSTEMCTL_EXEC" mask 'named.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files named.socket; then
-    "$SYSTEMCTL_EXEC" stop 'named.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'named.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'named.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled
+++ xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'fapolicyd.service'
-"$SYSTEMCTL_EXEC" start 'fapolicyd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'fapolicyd.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'fapolicyd.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_vsftpd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_vsftpd_disabled
+++ xccdf_org.ssgproject.content_rule_service_vsftpd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'vsftpd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'vsftpd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'vsftpd.service'
 "$SYSTEMCTL_EXEC" mask 'vsftpd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files vsftpd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'vsftpd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'vsftpd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'vsftpd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_httpd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_httpd_disabled
+++ xccdf_org.ssgproject.content_rule_service_httpd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'httpd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'httpd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'httpd.service'
 "$SYSTEMCTL_EXEC" mask 'httpd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files httpd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'httpd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'httpd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'httpd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_dovecot_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_dovecot_disabled
+++ xccdf_org.ssgproject.content_rule_service_dovecot_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'dovecot.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'dovecot.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'dovecot.service'
 "$SYSTEMCTL_EXEC" mask 'dovecot.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files dovecot.socket; then
-    "$SYSTEMCTL_EXEC" stop 'dovecot.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'dovecot.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'dovecot.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_slapd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_slapd_disabled
+++ xccdf_org.ssgproject.content_rule_service_slapd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'slapd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'slapd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'slapd.service'
 "$SYSTEMCTL_EXEC" mask 'slapd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files slapd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'slapd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'slapd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'slapd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_postfix_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_postfix_enabled
+++ xccdf_org.ssgproject.content_rule_service_postfix_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'postfix.service'
-"$SYSTEMCTL_EXEC" start 'postfix.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'postfix.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'postfix.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_netfs_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_netfs_disabled
+++ xccdf_org.ssgproject.content_rule_service_netfs_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'netfs.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'netfs.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'netfs.service'
 "$SYSTEMCTL_EXEC" mask 'netfs.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files netfs.socket; then
-    "$SYSTEMCTL_EXEC" stop 'netfs.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'netfs.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'netfs.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfslock_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nfslock_disabled
+++ xccdf_org.ssgproject.content_rule_service_nfslock_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'nfslock.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'nfslock.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'nfslock.service'
 "$SYSTEMCTL_EXEC" mask 'nfslock.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files nfslock.socket; then
-    "$SYSTEMCTL_EXEC" stop 'nfslock.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'nfslock.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'nfslock.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rpcbind_disabled
+++ xccdf_org.ssgproject.content_rule_service_rpcbind_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rpcbind.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rpcbind.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rpcbind.service'
 "$SYSTEMCTL_EXEC" mask 'rpcbind.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rpcbind.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rpcbind.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rpcbind.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rpcbind.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled
+++ xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rpcgssd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rpcgssd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rpcgssd.service'
 "$SYSTEMCTL_EXEC" mask 'rpcgssd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rpcgssd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rpcgssd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rpcgssd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rpcgssd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled
+++ xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rpcidmapd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rpcidmapd.service'
 "$SYSTEMCTL_EXEC" mask 'rpcidmapd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rpcidmapd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nfs_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nfs_disabled
+++ xccdf_org.ssgproject.content_rule_service_nfs_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'nfs-server.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'nfs-server.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'nfs-server.service'
 "$SYSTEMCTL_EXEC" mask 'nfs-server.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files nfs-server.socket; then
-    "$SYSTEMCTL_EXEC" stop 'nfs-server.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'nfs-server.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'nfs-server.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled
+++ xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service'
 "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rpcsvcgssd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_chronyd_enabled
+++ xccdf_org.ssgproject.content_rule_service_chronyd_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'chronyd.service'
-"$SYSTEMCTL_EXEC" start 'chronyd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'chronyd.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'chronyd.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
+++ xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
@@ -4,7 +4,9 @@
 if rpm --quiet -q "chrony" ; then
     if ! /usr/sbin/pidof ntpd ; then
         /usr/bin/systemctl enable "chronyd"
+        if [[ $(/usr/bin/systemctl is-system-running) != "offline" ]]; then
         /usr/bin/systemctl start "chronyd"
+        fi
         # The service may not be running because it has been started and failed,
         # so let's reset the state so OVAL checks pass.
         # Service should be 'inactive', not 'failed' after reboot though.
@@ -14,7 +16,9 @@
     fi
 elif rpm --quiet -q "ntp" ; then
     /usr/bin/systemctl enable "ntpd"
+    if [[ $(/usr/bin/systemctl is-system-running) != "offline" ]]; then
     /usr/bin/systemctl start "ntpd"
+    fi
     # The service may not be running because it has been started and failed,
     # so let's reset the state so OVAL checks pass.
     # Service should be 'inactive', not 'failed' after reboot though.
@@ -26,7 +30,9 @@
         yum install -y "chrony"
     fi
     /usr/bin/systemctl enable "chronyd"
+    if [[ $(/usr/bin/systemctl is-system-running) != "offline" ]]; then
     /usr/bin/systemctl start "chronyd"
+    fi
     # The service may not be running because it has been started and failed,
     # so let's reset the state so OVAL checks pass.
     # Service should be 'inactive', not 'failed' after reboot though.

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntp_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ntp_enabled
+++ xccdf_org.ssgproject.content_rule_service_ntp_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'ntp.service'
-"$SYSTEMCTL_EXEC" start 'ntp.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'ntp.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'ntp.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ntpd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ntpd_enabled
+++ xccdf_org.ssgproject.content_rule_service_ntpd_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'ntpd.service'
-"$SYSTEMCTL_EXEC" start 'ntpd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'ntpd.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'ntpd.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsyncd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rsyncd_disabled
+++ xccdf_org.ssgproject.content_rule_service_rsyncd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rsyncd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rsyncd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rsyncd.service'
 "$SYSTEMCTL_EXEC" mask 'rsyncd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rsyncd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rsyncd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rsyncd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rsyncd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_xinetd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_xinetd_disabled
+++ xccdf_org.ssgproject.content_rule_service_xinetd_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'xinetd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'xinetd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'xinetd.service'
 "$SYSTEMCTL_EXEC" mask 'xinetd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files xinetd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'xinetd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'xinetd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'xinetd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ypbind_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ypbind_disabled
+++ xccdf_org.ssgproject.content_rule_service_ypbind_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'ypbind.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'ypbind.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'ypbind.service'
 "$SYSTEMCTL_EXEC" mask 'ypbind.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files ypbind.socket; then
-    "$SYSTEMCTL_EXEC" stop 'ypbind.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'ypbind.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'ypbind.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ypserv_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ypserv_disabled
+++ xccdf_org.ssgproject.content_rule_service_ypserv_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'ypserv.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'ypserv.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'ypserv.service'
 "$SYSTEMCTL_EXEC" mask 'ypserv.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files ypserv.socket; then
-    "$SYSTEMCTL_EXEC" stop 'ypserv.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'ypserv.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'ypserv.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rexec_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rexec_disabled
+++ xccdf_org.ssgproject.content_rule_service_rexec_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rexec.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rexec.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rexec.service'
 "$SYSTEMCTL_EXEC" mask 'rexec.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rexec.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rexec.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rexec.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rexec.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rlogin_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rlogin_disabled
+++ xccdf_org.ssgproject.content_rule_service_rlogin_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rlogin.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rlogin.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rlogin.service'
 "$SYSTEMCTL_EXEC" mask 'rlogin.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rlogin.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rlogin.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rlogin.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsh_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rsh_disabled
+++ xccdf_org.ssgproject.content_rule_service_rsh_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rsh.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'rsh.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'rsh.service'
 "$SYSTEMCTL_EXEC" mask 'rsh.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files rsh.socket; then
-    "$SYSTEMCTL_EXEC" stop 'rsh.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'rsh.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'rsh.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_telnet_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_telnet_disabled
+++ xccdf_org.ssgproject.content_rule_service_telnet_disabled
@@ -2,12 +2,16 @@
 if ( rpm --quiet -q telnet-server && rpm --quiet -q kernel ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'telnet.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'telnet.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'telnet.service'
 "$SYSTEMCTL_EXEC" mask 'telnet.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files telnet.socket; then
-    "$SYSTEMCTL_EXEC" stop 'telnet.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'telnet.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'telnet.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_tftp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_tftp_disabled
+++ xccdf_org.ssgproject.content_rule_service_tftp_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'tftp.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'tftp.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'tftp.service'
 "$SYSTEMCTL_EXEC" mask 'tftp.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files tftp.socket; then
-    "$SYSTEMCTL_EXEC" stop 'tftp.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'tftp.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'tftp.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_cups_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_cups_disabled
+++ xccdf_org.ssgproject.content_rule_service_cups_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'cups.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'cups.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'cups.service'
 "$SYSTEMCTL_EXEC" mask 'cups.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files cups.socket; then
-    "$SYSTEMCTL_EXEC" stop 'cups.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'cups.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'cups.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_squid_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_squid_disabled
+++ xccdf_org.ssgproject.content_rule_service_squid_disabled
@@ -2,12 +2,16 @@
 if ( rpm --quiet -q squid && rpm --quiet -q kernel ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'squid.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'squid.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'squid.service'
 "$SYSTEMCTL_EXEC" mask 'squid.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files squid.socket; then
-    "$SYSTEMCTL_EXEC" stop 'squid.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'squid.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'squid.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_rngd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rngd_enabled
+++ xccdf_org.ssgproject.content_rule_service_rngd_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'rngd.service'
-"$SYSTEMCTL_EXEC" start 'rngd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'rngd.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'rngd.service'
 
 else

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_zebra_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_zebra_disabled
+++ xccdf_org.ssgproject.content_rule_service_zebra_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'zebra.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'zebra.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'zebra.service'
 "$SYSTEMCTL_EXEC" mask 'zebra.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files zebra.socket; then
-    "$SYSTEMCTL_EXEC" stop 'zebra.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'zebra.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'zebra.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_smb_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_smb_disabled
+++ xccdf_org.ssgproject.content_rule_service_smb_disabled
@@ -2,12 +2,16 @@
 if rpm --quiet -q kernel; then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'smb.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'smb.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'smb.service'
 "$SYSTEMCTL_EXEC" mask 'smb.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files smb.socket; then
-    "$SYSTEMCTL_EXEC" stop 'smb.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'smb.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'smb.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_snmpd_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_snmpd_disabled
+++ xccdf_org.ssgproject.content_rule_service_snmpd_disabled
@@ -2,12 +2,16 @@
 if ( rpm --quiet -q net-snmp && rpm --quiet -q kernel ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'snmpd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" stop 'snmpd.service'
+fi
 "$SYSTEMCTL_EXEC" disable 'snmpd.service'
 "$SYSTEMCTL_EXEC" mask 'snmpd.service'
 # Disable socket activation if we have a unit file for it
 if "$SYSTEMCTL_EXEC" -q list-unit-files snmpd.socket; then
-    "$SYSTEMCTL_EXEC" stop 'snmpd.socket'
+    if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+      "$SYSTEMCTL_EXEC" stop 'snmpd.socket'
+    fi
     "$SYSTEMCTL_EXEC" mask 'snmpd.socket'
 fi
 # The service may not be running because it has been started and failed,

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_sshd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_sshd_enabled
+++ xccdf_org.ssgproject.content_rule_service_sshd_enabled
@@ -3,7 +3,9 @@
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'sshd.service'
-"$SYSTEMCTL_EXEC" start 'sshd.service'
+if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then
+  "$SYSTEMCTL_EXEC" start 'sshd.service'
+fi
 "$SYSTEMCTL_EXEC" enable 'sshd.service'
 
 else

bash remediation for rule 'xccdf_org.

... The diff is trimmed here ...

@teacup-on-rockingchair teacup-on-rockingchair added Bash Bash remediation update. Update Template Issues or pull requests related to Templates updates. labels Jan 28, 2025
@teacup-on-rockingchair teacup-on-rockingchair modified the milestone: 0.1.76 Jan 28, 2025
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 28, 2025

Code Climate has analyzed commit 7a1927a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny added this to the 0.1.76 milestone Jan 29, 2025
@jan-cerny jan-cerny self-assigned this Jan 29, 2025
jan-cerny
jan-cerny approved these changes Jan 29, 2025
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is amazing and it's also great for Image Mode RHEL.

I have built RHEL 10 STIG hardened bootable container image and the remediations went fine, without polluting the HTML report by errors.

@jan-cerny jan-cerny merged commit 7d23e5b into ComplianceAsCode:master Jan 29, 2025
104 of 109 checks passed
@jan-cerny jan-cerny added the Image Mode Bootable containers and Image Mode RHEL label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
Bash Bash remediation update. Image Mode Bootable containers and Image Mode RHEL Update Template Issues or pull requests related to Templates updates.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.

remediation and verification for systemd services
2 participants
@teacup-on-rockingchair @jan-cerny