Bug 1976123

Summary: Ansible remediations of 3 dconf_gnome related rules don't work properly
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 7.9CC: ggasparb, jafiala, jreznik, lkuprova, mhaicman, mjahoda, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.57-4.el7_9 Doc Type: Bug Fix
Doc Text:
.Fixed Ansible remediations for `scap-security-guide` GNOME `dconf` rules Previously, Ansible remediations for some rules covering the GNOME `dconf` configuration systems were not aligned with the corresponding OVAL checks. Consequently, Ansible incorrectly remediated the following rules, marking them as `failed` in subsequent scans: * `dconf_gnome_screensaver_idle_activation_enabled` * `dconf_gnome_screensaver_idle_delay` * `dconf_gnome_disable_automount_open` With the update released in the link:https://access.redhat.com/errata/RHBA-2021:4781[RHBA-2021:4781] advisory, Ansible regular expressions have been fixed. As a result, these rules remediate correctly in the `dconf` configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-23 17:14:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matus Marhefka 2021-06-25 09:13:21 UTC 
Description of problem:
Ansible remediations of the following rules don't work properly:

dconf_gnome_screensaver_idle_activation_enabled
dconf_gnome_screensaver_idle_delay
dconf_gnome_disable_automount_open

Most likely the Ansible remediations are not aligned with the respective OVAL checks.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.54-6.el7_9

How reproducible:
always

Steps to Reproduce:
1. Generate Ansible fix for the 3 mentioned rules.
2. Apply generated Ansible playbook(s).
3. Evaluate these rules using openscap.

Actual results:
The rules are failing after the evaluation with openscap.

Expected results:
The rules are passing after the evaluation with openscap.


Additional info:
Comment 3 Gabriel Gaspar Becker 2021-06-25 11:02:32 UTC 
The following rules should be fixed by these PRs

dconf_gnome_screensaver_idle_activation_enabled
https://github.com/ComplianceAsCode/content/pull/7047

dconf_gnome_screensaver_idle_delay
https://github.com/ComplianceAsCode/content/pull/6770
Comment 5 Gabriel Gaspar Becker 2021-06-30 13:54:26 UTC 
The rule dconf_gnome_disable_automount_open is fixed by:
https://github.com/ComplianceAsCode/content/pull/7150
Comment 20 errata-xmlrpc 2021-11-23 17:14:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4781
Comment 23 Jan Fiala 2021-12-06 14:26:43 UTC 
Thanks Vojtech for the comment. I adjusted the doc text slightly, but I don't have any more information I could provide. Is there any other info missing?