If you use "--profile" it will create a playbook based on the profile, not the results scan. This is a corrected example: oscap xccdf generate fix --fix-type ansible --result-id "" --output hipaa-remediations.yml hipaa-results.xml Took me like, 2 hours to find this answer. Here's the blog post that helped me. http://redhatgov.io/workshops/rhel_8/exercise1.7/ Try it yourself. The profile ansible playbook will have: # This Ansible Playbook is generated from an OpenSCAP profile without preliminary evaluation. # It attempts to fix every selected rule, even if the system is already compliant. at the top. Reported by: xhk416x https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#annotations:fb7b6d6a-51e9-4aad-8c23-036fcd798ce4
Annotation: Chapter 8. Scanning the system for configuration compliance and vulnerabilities of the "Security Hardening" title
Thanks a lot for reporting this! I discussed this with the Compliance SMEs and updated both RHEL 8 and RHEL 9 documentation. The changes should be visible here in a few hours: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#creating-a-remediation-ansible-playbook-to-align-the-system-with-a-specific-baseline_scanning-the-system-for-configuration-compliance-and-vulnerabilities https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#creating-a-remediation-ansible-playbook-to-align-the-system-with-a-specific-baseline_scanning-the-system-for-configuration-compliance-and-vulnerabilities