Description of problem: After applying the Ansible Role for the DISA Stig for RHEL of OpenScap 0.1.48 (https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip) to the client system locally when 'theforeman.foreman_scap_client' role is applied from Satellite server getting the following error: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TASK [theforeman.foreman_scap_client : Set facts for rh certs] ***************** fatal: [test.example.com]: FAILED! => msg: |- the field 'args' has an invalid value ({u'rh_consumer_private_key_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_private_key_path') }}", u'rh_consumer_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_cert_path') }}", u'rh_ca_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_ca_cert_path') }}"}), and could not be converted to an dict.The error was: No JSON object could be decoded The error appears to be in '/usr/share/ansible/roles/theforeman.foreman_scap_client/tasks/main.yml': line 21, column 3, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: - name: 'Set facts for rh certs' ^ here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This ansible error seems to be a problem with: https://github.com/theforeman/ansible-foreman_scap_client More specifically this commit has introduced this new task "Set facts for rh certs": https://github.com/theforeman/ansible-foreman_scap_client/commit/b2bf6c595363174935f94b0f479d27e8eb5690ba Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Applied the ansible role DISA Stig for RHEL of OpenScap 0.1.48 (https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip) to the client. 2. Executed theforeman.foreman_scap_client ansible role on the client Actual results: Role is failing with error. Expected results: it should get executed successfully. Additional info: It seems that the 'fapolicyd' service is causing the issue and not allowing the script to execute. After stopping the service, everything started working fine.
Could you try whitelisting ruby in fapolicyd? It helped upstream: https://community.theforeman.org/t/issue-running-theforeman-foreman-scap-client-on-rhel-8/17438
Whitelisting helps. There are 3 possible solutions: - RedHat solves the issue by preventing ruby code in ansible roles to run python - the openscap policy could whitelists ruby because the ruby script is from the openscap package - the puppet-agent installer should whitelist ruby since puppet require ruby I prefer to not use ruby code in ansible.
Created redmine issue https://projects.theforeman.org/issues/29475 from this bug
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/29475 has been resolved.
Moving back to new for reevaluation