Bug 1866319 - All the policies of OpenScap getting assigned through Ansible to all the clients.
Summary: All the policies of OpenScap getting assigned through Ansible to all the clie...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SCAP Plugin
Version: 6.8.0
Hardware: x86_64
OS: All
medium
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Jameer Pathan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-05 11:08 UTC by Ganesh Payelkar
Modified: 2020-08-26 10:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-26 10:17:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ganesh Payelkar 2020-08-05 11:08:08 UTC 
Description of problem:

All the policies of OpenScap getting assigned through Ansible to all the clients.

Version-Release number of selected component (if applicable):
satellite-6.8.0-0.7.beta 

How reproducible:
New installation of 6.8 Beta

Steps to Reproduce:
1. Create 2 polices RHEL7 and RHEL8
2. WebUI --> Hosts --> Compliance --> Policies --> New Compliance policy --> 
  RHEL7 / RHEL8
3. Select "SCAP Content" according to your requirement
   Both policies have same HostGroup added
 
Assigned "RHEL7" policy to all RHEL 7 systems and "RHEL8" to RHEL 8 systems, by using All Host --> selected systems --> Select Action --> Assign compliance policy
    * Here when I ran "Run All Ansible roles" it added both the policies in all the hosts


Actual results:  

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 (Maipo)

#  cat /etc/cron.d/foreman_scap_client_cron 
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY ANSIBLE
# ANY MANUAL CHANGES WILL BE LOST ON THE NEXT ANSIBLE EXECUTION
#
# Executing foreman_scap_client from command line may be useful for debugging purposes.

# foreman_scap_client cron job
0 1 * * 5 root /bin/sleep 482; /usr/bin/foreman_scap_client 1 2>&1 | logger -t foreman_scap_client
0 1 * * 5 root /bin/sleep 2; /usr/bin/foreman_scap_client 2 2>&1 | logger -t foreman_scap_client


=======================================================================
# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 (Ootpa)

# cat /etc/cron.d/foreman_scap_client_cron 
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY ANSIBLE
# ANY MANUAL CHANGES WILL BE LOST ON THE NEXT ANSIBLE EXECUTION
#
# Executing foreman_scap_client from command line may be useful for debugging purposes.

# foreman_scap_client cron job
0 1 * * 5 root /bin/sleep 345; /usr/bin/foreman_scap_client 1 2>&1 | logger -t foreman_scap_client
0 1 * * 5 root /bin/sleep 108; /usr/bin/foreman_scap_client 2 2>&1 | logger -t foreman_scap_client



Expected results:

Policy should be assigned to a client which we selected. 


Additional info: 


TASK [Apply roles] *************************************************************

TASK [RedHatInsights.insights-client : Install 'insights-client'] **************

ok: [rhel.example.net]

TASK [RedHatInsights.insights-client : Set Insights Configuration Values] ******

ok: [rhel.example.net]

TASK [RedHatInsights.insights-client : Register Insights Client] ***************

ok: [rhel.example.net]

TASK [RedHatInsights.insights-client : Change permissions of Insights Config directory so that Insights System ID can be read] ***

ok: [rhel.example.net]

TASK [RedHatInsights.insights-client : Change permissions of machine_id file so that Insights System ID can be read] ***

ok: [rhel.example.net]

TASK [RedHatInsights.insights-client : Create directory for ansible custom facts] ***

ok: [rhel.example.net]

TASK [RedHatInsights.insights-client : Install custom insights fact] ***********

ok: [rhel.example.net]

TASK [theforeman.foreman_scap_client : Configure plugins repository] ***********

ok: [rhel.example.net]

TASK [theforeman.foreman_scap_client : Install the foreman_scap_client package] ***

ok: [rhel.example.net]

TASK [theforeman.foreman_scap_client : Get certificate paths] ******************

ok: [rhel.example.net]

TASK [theforeman.foreman_scap_client : Set facts for rh certs] *****************

ok: [rhel.example.net]

TASK [theforeman.foreman_scap_client : Create cron in /etc/cron.d/] ************

changed: [rhel.example.net]

TASK [theforeman.foreman_scap_client : Create config.yaml in /etc/foreman_scap_client] ***

ok: [rhel.example.net]

TASK [theforeman.foreman_scap_client : Ensure cron and config are present] *****

ok: [rhel.example.net] => (item=/etc/cron.d/foreman_scap_client_cron)
ok: [rhel.example.net] => (item=/etc/foreman_scap_client/config.yaml)

PLAY RECAP *********************************************************************

rhel.example.net           : ok=16   changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Exit status: 0
Comment 2 Brad Buckingham 2020-08-06 14:27:04 UTC 
Is this a regression from 6.7?
Comment 4 Ganesh Payelkar 2020-08-15 12:21:27 UTC 
observed same result on 6.7
Comment 5 Ondřej Pražák 2020-08-26 10:17:06 UTC 
If both policies have the same hostgroup as described in step 3 then all hosts in that hostgroup will inherit both policies. If policies are assigned to hostgroups there is also no need to assign those policies to individual hosts - all hosts in hostgroup will inherit policies from hostgroup.

The desired configuration can be achieved by assigning 'RHEL7 policy' only to 'RHEL7 hostgroup' or to each host with RHEL7 individually, same for RHEL8.

Closing as this is not a bug, feel free to reopen if I misunderstood.
Note You need to log in before you can comment on or make changes to this bug.