Bug 1814988

Summary: Applying foreman.scap role from Satellite on client system where DISA STIG Security Policy is applied locally fails.
Product: Red Hat Satellite Reporter: Krutika Kinge <kkinge>
Component: SCAP PluginAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Jameer Pathan <jpathan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6.0CC: ahumbe, aruzicka, egolov, jerome.meyer, mhulan, nshaik, stefan.schwiedel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ansiblerole-foreman_scap_client-0.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Krutika Kinge 2020-03-19 09:20:32 UTC 
Description of problem:
After applying the Ansible Role for the DISA Stig for RHEL of OpenScap 0.1.48 (https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip) to the client system locally when 'theforeman.foreman_scap_client' role is applied from Satellite server getting the following error:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TASK [theforeman.foreman_scap_client : Set facts for rh certs] *****************

fatal: [test.example.com]: FAILED! =>
  msg: |-
    the field 'args' has an invalid value ({u'rh_consumer_private_key_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_private_key_path')  }}", u'rh_consumer_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_cert_path') }}", u'rh_ca_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_ca_cert_path') }}"}), and could not be converted to an dict.The error was: No JSON object could be decoded
    The error appears to be in '/usr/share/ansible/roles/theforeman.foreman_scap_client/tasks/main.yml': line 21, column 3, but may
    be elsewhere in the file depending on the exact syntax problem.
    The offending line appears to be:

    - name: 'Set facts for rh certs'
      ^ here
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This ansible error seems to be a problem with: https://github.com/theforeman/ansible-foreman_scap_client
More specifically this commit has introduced this new task "Set facts for rh certs": https://github.com/theforeman/ansible-foreman_scap_client/commit/b2bf6c595363174935f94b0f479d27e8eb5690ba

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Applied the ansible role DISA Stig for RHEL of OpenScap 0.1.48 (https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip) to the client.
2. Executed theforeman.foreman_scap_client ansible role on the client

Actual results:
Role is failing with error.

Expected results:
it should get executed successfully.

Additional info:
It seems that the 'fapolicyd' service is causing the issue and not allowing the script to execute. After stopping the service, everything started working fine.
Comment 3 Ondřej Pražák 2020-03-19 12:18:58 UTC 
Could you try whitelisting ruby in fapolicyd? It helped upstream:

https://community.theforeman.org/t/issue-running-theforeman-foreman-scap-client-on-rhel-8/17438
Comment 4 S.Schwiedel 2020-03-31 06:22:53 UTC 
Whitelisting helps. 
There are 3 possible solutions:
- RedHat solves the issue by preventing ruby code in ansible roles to run python
- the openscap policy could whitelists ruby because the ruby script is from the openscap package
- the puppet-agent installer should whitelist ruby since puppet require ruby 

I prefer to  not use ruby code in ansible.
Comment 5 Ondřej Pražák 2020-04-06 06:16:41 UTC 
Created redmine issue https://projects.theforeman.org/issues/29475 from this bug
Comment 7 Bryan Kearney 2020-11-05 12:06:18 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/29475 has been resolved.
Comment 16 Adam Ruzicka 2023-08-11 11:05:25 UTC 
Moving back to new for reevaluation