RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1747188 - Ansible openscap remediations have a duplicate dict key (section)
Summary: Ansible openscap remediations have a duplicate dict key (section)
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.8
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Gabriel Gaspar Becker
QA Contact: Jan Černý
Eric Christensen
Depends On:
TreeView+ depends on / blocked
Reported: 2019-08-29 21:00 UTC by Ryan Mullett
Modified: 2023-09-07 20:30 UTC (History)
8 users (show)

Fixed In Version: scap-security-guide-0.1.45-1.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2020-03-31 19:38:15 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1019 0 None None None 2020-03-31 19:38:35 UTC

Description Ryan Mullett 2019-08-29 21:00:59 UTC
Description of problem:
Duplicate dict key syntax error when using Ansible openscap remediations. 

Version-Release number of selected component (if applicable):
- ansible (tried with 2.4 from extras as well as 2.8 ae)
- scap-security-guide-0.1.43-13.el7.noarch.rpm

How reproducible:

Steps to Reproduce:
1. # oscap xccdf generate fix --fix-type ansible --profile stig-rhel7-disa --output stig-rhel7-role2.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
2. # ansible-playbook -i "localhost," -c local --check stig-rhel7-role2.yml

Actual results: 
[WARNING]: While constructing a mapping from /root/stig-rhel7-role2.yml, line 334, column 9, found a duplicate dict key (section).
Using last defined value only.

Expected results:
No duplicate dict key in the remediations. 

Additional info:

Here's the relevant section. Issue is line 335/336 in the playbook generated. 

  332     - name: "Add default domain group and use STARTTLS (if no domain there)"
  333       ini_file:
  334         path: /etc/sssd/sssd.conf
  335         section: domain/default  
  336         section: "{{ item.section }}"
  337         option: "{{ item.option }}"
  338         value: "{{ item.value }}"
  339         create: yes
  340         mode: 0600
  341       with_items:
  342         - { section: sssd, option: domains, value: default}
  343         - { section: domain/default, option: id_provider, value: files }
  344         - { section: domain/default, option: ldap_id_use_start_tls, value: true}
  345       when: test_grep_domain.stdout == "" and (ansible_virtualization_role != "guest" or ansible_virtualization_      type != "docker")
  346       tags:
  347         - sssd_ldap_start_tls
  348         - medium_severity
  349         - unknown_strategy
  350         - low_complexity
  351         - medium_disruption
  352         - CCE-80546-5
  353         - NIST-800-53-AC-17(2)
  354         - NIST-800-53-CM-7
  355         - DISA-STIG-RHEL-07-040180

Comment 3 Marek Haicman 2019-08-30 07:45:55 UTC
Thank you for the report, Ryan! This issue has been already fixed in upstream, and should be in next release. https://github.com/ComplianceAsCode/content/pull/4359

Comment 5 Jan Černý 2019-11-13 09:42:35 UTC
I have checked that in scap-security-guide-0.1.46-5.el7.noarch the generated playbook contains only 1 `section` key in `ini_file` key in task `Add default domain group and use STARTTLS (if no domain there)`. This task runs successfully.

However the whole playbook fails in my testing environment because it terminates before finishing.

In --check mode, it fails on:

TASK [Disable service kdump] ****************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'service_file_exists.rc == 0' failed. The error was: error while evaluating conditional (service_file_exists.rc == 0): 'dict object' has no attribute
 'rc'\n\nThe error appears to be in '/root/stig-rhel7-role2.yml': line 430, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name
: Disable service kdump\n      ^ here\n"}                                                                                                                                                                          

In real run, it fails on:


TASK [Get nfs and nfs4 mount points, that don't have nosuid] ********************************************                                                                                                          
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "set -o pipefail\ngrep -E \"[[:space:]]nfs[4]?[[:space:]]\" /etc/fstab | grep -v \"nosuid\" | awk '{print $2}'\n", "delta": "0:00:00.006738", "end": "2019
-11-13 04:33:35.210072", "msg": "non-zero return code", "rc": 1, "start": "2019-11-13 04:33:35.203334", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}          


Comment 6 Jan Černý 2019-11-13 11:37:46 UTC
The fail has been reported in the Rebase bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1726698

Comment 7 Jan Černý 2019-11-13 12:05:14 UTC
The kdump service fail has been reported upstream in https://github.com/ComplianceAsCode/content/issues/5003 which references https://github.com/RedHatOfficial/ansible-role-rhel7-stig/issues/18

Comment 8 Matus Marhefka 2019-11-14 14:41:10 UTC
Moving to verified based on the Comment 5. The issue with terminating Ansible playbook has been introduced by the rebase bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1726698 and it will be tracked/fixed there.

Comment 11 errata-xmlrpc 2020-03-31 19:38:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.