Bug 1747188
| Summary: | Ansible openscap remediations have a duplicate dict key (section) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ryan Mullett <rmullett> |
| Component: | scap-security-guide | Assignee: | Gabriel Gaspar Becker <ggasparb> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Černý <jcerny> |
| Severity: | low | Docs Contact: | Eric Christensen <sparks> |
| Priority: | medium | ||
| Version: | 7.8 | CC: | ggasparb, jcerny, mhaicman, mlysonek, openscap-maint, sparks, vpolasek, wsato |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.45-1.el7 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 19:38:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thank you for the report, Ryan! This issue has been already fixed in upstream, and should be in next release. https://github.com/ComplianceAsCode/content/pull/4359 I have checked that in scap-security-guide-0.1.46-5.el7.noarch the generated playbook contains only 1 `section` key in `ini_file` key in task `Add default domain group and use STARTTLS (if no domain there)`. This task runs successfully.
However the whole playbook fails in my testing environment because it terminates before finishing.
In --check mode, it fails on:
8<---8<---8<---8<---8<---8<---8<---8<---
TASK [Disable service kdump] ****************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute
'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name
: Disable service kdump\n ^ here\n"}
8<---8<---8<---8<---8<---8<---8<---8<---
In real run, it fails on:
8<---8<---8<---8<---8<---8<---8<---8<---
TASK [Get nfs and nfs4 mount points, that don't have nosuid] ********************************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019
-11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
8<---8<---8<---8<---8<---8<---8<---8<---
The fail has been reported in the Rebase bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1726698 The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18 Moving to verified based on the Comment 5. The issue with terminating Ansible playbook has been introduced by the rebase bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1726698 and it will be tracked/fixed there. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1019 |
Description of problem: Duplicate dict key syntax error when using Ansible openscap remediations. Version-Release number of selected component (if applicable): - ansible (tried with 2.4 from extras as well as 2.8 ae) - scap-security-guide-0.1.43-13.el7.noarch.rpm How reproducible: Always Steps to Reproduce: 1. # oscap xccdf generate fix --fix-type ansible --profile stig-rhel7-disa --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml Actual results: [WARNING]: While constructing a mapping from /root/stig-rhel7-role2.yml, line 334, column 9, found a duplicate dict key (section). Using last defined value only. Expected results: No duplicate dict key in the remediations. Additional info: Here's the relevant section. Issue is line 335/336 in the playbook generated. 332 - name: "Add default domain group and use STARTTLS (if no domain there)" 333 ini_file: 334 path: /etc/sssd/sssd.conf 335 section: domain/default 336 section: "{{ item.section }}" 337 option: "{{ item.option }}" 338 value: "{{ item.value }}" 339 create: yes 340 mode: 0600 341 with_items: 342 - { section: sssd, option: domains, value: default} 343 - { section: domain/default, option: id_provider, value: files } 344 - { section: domain/default, option: ldap_id_use_start_tls, value: true} 345 when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_ type != "docker") 346 tags: 347 - sssd_ldap_start_tls 348 - medium_severity 349 - unknown_strategy 350 - low_complexity 351 - medium_disruption 352 - CCE-80546-5 353 - NIST-800-53-AC-17(2) 354 - NIST-800-53-CM-7 355 - DISA-STIG-RHEL-07-040180