Same for me with Rocky8. Problem comes with the user "operator" who have as home directory /root (correct as it has task of maintenance). Script found that "operator" is a hacker




??
You can take out operator from the list in the script but it will probably be updated.
The script set "operator" with a nologin shell (/sbin/nologin in /etc/passwd) but continue to consider it as dangerous (eval echo "~operator" still output /root).
As I don't know if it's safe to remove operator user (some people say yes) I change the home directory for that user: usermod -d /home operator.
Other thing incorrect: if the file /root/.ssh is configured as immutable (+i) then everyday it gets out as unprotected.
It seems to me that the script has been done with urgency for a specific case, but lack few things.