Hide Forgot
The version currently in RHEL7 is 0.1.43. Upstream version 0.1.44 is already released (on May 3rd 2019), changes from 0.1.43 to 0.1.44 can be checked here: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44 Next upstream release version 0.1.45 is to happen soon, in July 2019.
The Ansible Playbook for STIG profile errors in scap-security-guide-0.1.46-5.el7.noarch and it terminates before finishing. 1. # oscap xccdf generate fix --fix-type ansible --profile stig --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml In --check mode, it fails on: 8<---8<---8<---8<---8<---8<---8<---8<--- TASK [Disable service kdump] **************************************************************************** fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name : Disable service kdump\n ^ here\n"} 8<---8<---8<---8<---8<---8<---8<---8<--- In real run, it fails on: 8<---8<---8<---8<---8<---8<---8<---8<--- TASK [Get nfs and nfs4 mount points, that don't have nosuid] ******************************************** fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019 -11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []} 8<---8<---8<---8<---8<---8<---8<---8<--- This problem has been discovered during verification of https://bugzilla.redhat.com/show_bug.cgi?id=1747188
The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18
The issue with failing nfs ansible remediation mentioned in Comment 8 has been already fixed in upstream - https://github.com/ComplianceAsCode/content/pull/4784
The omission of removing directory_access_var_log_audit rule in favor of audit_rules_for_ospp should be backported and the fix already exists upstream: https://github.com/ComplianceAsCode/content/pull/4957
I have checked the Ansible Playbook generated using the 'stig' profile from ssg-rhel7-ds.xml provided by scap-security-guide-0.1.46-5.el7.noarch. I have continuously removed all the failing tasks from the playbook to allow the playbook to finish. In the real run (without --check) the offending rules were: mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems. These are templated rules, which means the Ansible template mount_option_remote_filesystems needs to be fixed. In the check mode (with --check), there are more errors than in the real run, specifically: - service_autofs_disabled and service_kdump_disabled - they are templated, we need to fix Ansible template service_disabled - mount_option_nosuid_remote_filesystems and mount_option_noexec_remote_filesystems - is templated, we need to fix Ansible template mount_option_remote_filesystems - mount_option_krb_sec_remote_filesystem - grub2_enable_fips_mode
There is a fix upstream for ansible playbook generated using 'stig' profile. https://github.com/ComplianceAsCode/content/pull/5004
Two patches which fix missing CCE identifiers need to be backported: https://github.com/ComplianceAsCode/content/pull/4866 https://github.com/ComplianceAsCode/content/pull/4956
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1019