diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
index c21b1e61282..75170a09498 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
@@ -43,4 +43,8 @@ ocil: |-
The output should return the following with a correctly configured CA cert path:
ldap_tls_cacert /path/to/tls/ca.cert
+warnings:
+ - general:
+ A remediation is not provided for this rule as each system has unique requirements.
+
platform: sssd-ldap
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
index c5ef2526148..12f5e37b6d0 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
@@ -32,7 +32,6 @@ references:
nist: SC-12(3),CM-6(a)
srg: SRG-OS-000250-GPOS-00093
stigid@ol7: OL07-00-040200
- stigid@rhel7: RHEL-07-040200
ocil_clause: 'the TLS CA cert is not configured'
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
index 688cf17abba..9a665813a97 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
@@ -14,7 +14,7 @@
- /etc/sssd/sssd.conf
+ ^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$
^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_tls_reqcert[ \t]*=[ \t]*((?i)demand)[ \t]*$
1
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
index e3800af1f29..536c770ab2d 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
index 8cc0be8d913..49e23b92fe7 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value_dropin.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value_dropin.pass.sh
new file mode 100644
index 00000000000..3129eb06a44
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value_dropin.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+
+sed -i '/ldap_tls_reqcert/d' /etc/sssd/sssd.conf
+
+echo '[domain/default]' >> /etc/sssd/conf.d/cac.conf
+echo 'ldap_tls_reqcert = demand' >> /etc/sssd/conf.d/cac.conf
+systemctl enable sssd
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
index f7ac9e76389..0ba2673f11e 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
index 027b16c83a1..e801ff73f7e 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
index 1249e2fd5c5..c3d3ff881cf 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
index abd61fc01fc..6cba7c9aaa8 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
@@ -13,7 +13,7 @@
- /etc/sssd/sssd.conf
+ ^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$
^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ \t]*=[ \t]*((?i)true)[ \t]*$
1
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value_dropin.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value_dropin.pass.sh
new file mode 100644
index 00000000000..d3113aa0bd5
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value_dropin.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+
+sed -i '/ldap_id_use_start_tls/d' /etc/sssd/sssd.conf
+
+echo '[domain/default]' >> /etc/sssd/conf.d/cac.conf
+echo 'ldap_id_use_start_tls = True' >> /etc/sssd/conf.d/cac.conf
+systemctl enable sssd
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
index b19e8a91f7a..08b9402fe83 100644
--- a/products/rhel7/profiles/stig.profile
+++ b/products/rhel7/profiles/stig.profile
@@ -259,7 +259,6 @@ selections:
- sshd_enable_warning_banner
- sssd_ldap_start_tls
- sssd_ldap_start_tls.severity=medium
- - sssd_ldap_configure_tls_ca_dir
- sssd_ldap_configure_tls_ca
- sssd_ldap_configure_tls_reqcert
- sysctl_kernel_randomize_va_space