1747188 – Ansible openscap remediations have a duplicate dict key (section)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1747188 - Ansible openscap remediations have a duplicate dict key (section)

Summary: Ansible openscap remediations have a duplicate dict key (section)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Gabriel Gaspar Becker
QA Contact:	Jan Černý
Docs Contact:	Eric Christensen
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-29 21:00 UTC by Ryan Mullett
Modified:	2023-09-07 20:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:	scap-security-guide-0.1.45-1.el7
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-31 19:38:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:1019	0	None	None	None	2020-03-31 19:38:35 UTC

Description Ryan Mullett 2019-08-29 21:00:59 UTC

Description of problem:
Duplicate dict key syntax error when using Ansible openscap remediations. 

Version-Release number of selected component (if applicable):
- ansible (tried with 2.4 from extras as well as 2.8 ae)
- scap-security-guide-0.1.43-13.el7.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. # oscap xccdf generate fix --fix-type ansible --profile stig-rhel7-disa --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml

Actual results: 
[WARNING]: While constructing a mapping from /root/stig-rhel7-role2.yml, line 334, column 9, found a duplicate dict key (section).
Using last defined value only.

Expected results:
No duplicate dict key in the remediations. 

Additional info:

Here's the relevant section. Issue is line 335/336 in the playbook generated. 

  332     - name: "Add default domain group and use STARTTLS (if no domain there)"
  333       ini_file:
  334         path: /etc/sssd/sssd.conf
  335         section: domain/default  
  336         section: "{{ item.section }}"
  337         option: "{{ item.option }}"
  338         value: "{{ item.value }}"
  339         create: yes
  340         mode: 0600
  341       with_items:
  342         - { section: sssd, option: domains, value: default}
  343         - { section: domain/default, option: id_provider, value: files }
  344         - { section: domain/default, option: ldap_id_use_start_tls, value: true}
  345       when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_      type != "docker")
  346       tags:
  347         - sssd_ldap_start_tls
  348         - medium_severity
  349         - unknown_strategy
  350         - low_complexity
  351         - medium_disruption
  352         - CCE-80546-5
  353         - NIST-800-53-AC-17(2)
  354         - NIST-800-53-CM-7
  355         - DISA-STIG-RHEL-07-040180

Comment 3 Marek Haicman 2019-08-30 07:45:55 UTC

Thank you for the report, Ryan! This issue has been already fixed in upstream, and should be in next release. https://github.com/ComplianceAsCode/content/pull/4359

Comment 5 Jan Černý 2019-11-13 09:42:35 UTC

I have checked that in scap-security-guide-0.1.46-5.el7.noarch the generated playbook contains only 1 `section` key in `ini_file` key in task `Add default domain group and use STARTTLS (if no domain there)`. This task runs successfully.

However the whole playbook fails in my testing environment because it terminates before finishing.

In --check mode, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---
                                                                                            
TASK [Disable service kdump] ****************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute
 'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name
: Disable service kdump\n      ^ here\n"}                                                                                                                                                                          
                                     
8<---8<---8<---8<---8<---8<---8<---8<---

In real run, it fails on:

8<---8<---8<---8<---8<---8<---8<---8<---

TASK [Get nfs and nfs4 mount points, that don't have nosuid] ********************************************                                                                                                          
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019
-11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}          

8<---8<---8<---8<---8<---8<---8<---8<---

Comment 6 Jan Černý 2019-11-13 11:37:46 UTC

The fail has been reported in the Rebase bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1726698

Comment 7 Jan Černý 2019-11-13 12:05:14 UTC

The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18

Comment 8 Matus Marhefka 2019-11-14 14:41:10 UTC

Moving to verified based on the Comment 5. The issue with terminating Ansible playbook has been introduced by the rebase bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1726698 and it will be tracked/fixed there.

Comment 11 errata-xmlrpc 2020-03-31 19:38:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1019

Note You need to log in before you can comment on or make changes to this bug.