Stabilization: Make Ansible remediation less prone to fatal errors

[marcusburghardt]

Description:

There are cases where the systems don't have one or more of the grub files intended to be checked. If this is the case, the former task in the Ansible playbook would result in a fatal error. Now, the files existences are firstly ensured before checking their contents.

Rationale:

Avoids fatal errors when executing the Ansible Playbook.

Review Hints:

The OVAL changes are only related to style guide alignment. No functional changes were made there.
The relevant changes happened in the Ansible remediation.
The test scenario scripts were improvement to test the Ansible remediation robustness and cover OVAL tests.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[marcusburghardt]

@mildas , it was visible after fixing another issue (#9856 ).

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 chgrp 0 /boot/efi/EFI/redhat/grub.cfg
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -20,8 +20,8 @@
 path: /boot/efi/EFI/redhat/grub.cfg
 register: file_exists
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-85915-7
@@ -42,8 +42,8 @@
 path: /boot/efi/EFI/redhat/grub.cfg
 group: '0'
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - file_exists.stat is defined and file_exists.stat.exists
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 chgrp 0 /boot/efi/EFI/redhat/user.cfg
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -20,8 +20,8 @@
 path: /boot/efi/EFI/redhat/user.cfg
 register: file_exists
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86012-2
@@ -42,8 +42,8 @@
 path: /boot/efi/EFI/redhat/user.cfg
 group: '0'
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - file_exists.stat is defined and file_exists.stat.exists
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 chown 0 /boot/efi/EFI/redhat/grub.cfg
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -20,8 +20,8 @@
 path: /boot/efi/EFI/redhat/grub.cfg
 register: file_exists
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-85913-2
@@ -42,8 +42,8 @@
 path: /boot/efi/EFI/redhat/grub.cfg
 owner: '0'
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - file_exists.stat is defined and file_exists.stat.exists
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 chown 0 /boot/efi/EFI/redhat/user.cfg
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -20,8 +20,8 @@
 path: /boot/efi/EFI/redhat/user.cfg
 register: file_exists
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86021-3
@@ -42,8 +42,8 @@
 path: /boot/efi/EFI/redhat/user.cfg
 owner: '0'
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - file_exists.stat is defined and file_exists.stat.exists
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -18,8 +18,8 @@
 path: /boot/efi/EFI/redhat/grub.cfg
 register: file_exists
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-85912-4
@@ -38,8 +38,8 @@
 path: /boot/efi/EFI/redhat/grub.cfg
 mode: u-s,g-xwrs,o-xwrt
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - file_exists.stat is defined and file_exists.stat.exists
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && [ -f /sys/firmware/efi ] && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if [ -f /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 chmod u-xs,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -18,8 +18,8 @@
 path: /boot/efi/EFI/redhat/user.cfg
 register: file_exists
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86028-8
@@ -38,8 +38,8 @@
 path: /boot/efi/EFI/redhat/user.cfg
 mode: u-xs,g-xwrs,o-xwrt
 when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible_facts.packages'
- - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - file_exists.stat is defined and file_exists.stat.exists
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux' differs.
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
 
 sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
 sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux' differs.
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -1,10 +1,6 @@
-- name: Find /etc/grub.d/ files
- find:
- paths:
- - /etc/grub.d/
- follow: true
- register: grub
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Gather the package facts
+ package_facts:
+ manager: auto
 tags:
 - CCE-80827-9
 - NIST-800-171-3.1.2
@@ -18,15 +14,15 @@
 - no_reboot_needed
 - restrict_strategy
 
-- name: Ensure SELinux Not Disabled in grub files
- replace:
- dest: '{{ item.path }}'
- regexp: (selinux|enforcing)=0
- with_items:
- - '{{ grub.files }}'
- - path: /etc/grub2.cfg
- - path: /etc/default/grub
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Find /etc/grub.d/ files
+ ansible.builtin.find:
+ paths:
+ - /etc/grub.d/
+ follow: true
+ register: result_grub_d
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
 tags:
 - CCE-80827-9
 - NIST-800-171-3.1.2
@@ -39,3 +35,112 @@
 - medium_severity
 - no_reboot_needed
 - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
+ in /etc/grub.d/ files
+ ansible.builtin.replace:
+ dest: '{{ item.path }}'
+ regexp: (selinux|enforcing)=0
+ with_items:
+ - '{{ result_grub_d.files }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/grub2.cfg
+ exists
+ ansible.builtin.stat:
+ path: /etc/grub2.cfg
+ register: result_grub2_cfg_present
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/default/grub
+ exists
+ ansible.builtin.stat:
+ path: /etc/default/grub
+ register: result_default_grub_present
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
+ in /etc/grub2.cfg
+ ansible.builtin.replace:
+ dest: /etc/grub2.cfg
+ regexp: (selinux|enforcing)=0
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ - result_grub2_cfg_present.stat.exists
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
+ in /etc/default/grub
+ ansible.builtin.replace:
+ dest: /etc/default/grub
+ regexp: (selinux|enforcing)=0
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"grub2-common" in ansible_facts.packages'
+ - result_default_grub_present.stat.exists
+ tags:
+ - CCE-80827-9
+ - NIST-800-171-3.1.2
+ - NIST-800-171-3.7.2
+ - NIST-800-53-AC-3
+ - NIST-800-53-AC-3(3)(a)
+ - grub2_enable_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux'
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -1 +1 @@
-
+cpe:/a:grub2

bash remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' differs.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then
+if rpm --quiet -q postfix && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
 echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' differs.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -40,8 +40,8 @@
 line: smtpd_client_restrictions = permit_mynetworks,reject
 state: present
 when:
+ - '"postfix" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"postfix" in ansible_facts.packages'
 tags:
 - CCE-84054-6
 - DISA-STIG-RHEL-08-040290

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
+if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 var_sssd_ldap_tls_ca_dir=''
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -25,8 +25,8 @@
 changed_when: false
 check_mode: false
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 tags:
 - CCE-82456-5
 - NIST-800-53-CM-6(a)
@@ -45,8 +45,8 @@
 changed_when: false
 check_mode: false
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 tags:
 - CCE-82456-5
 - NIST-800-53-CM-6(a)
@@ -73,8 +73,8 @@
 option: ldap_tls_cacertdir
 value: '{{ var_sssd_ldap_tls_ca_dir }}'
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 - test_grep_domain.stdout is defined
 - test_grep_domain.stdout | length < 1
 - test_id_provider.stdout is defined
@@ -97,8 +97,8 @@
 option: ldap_tls_cacertdir
 value: '{{ var_sssd_ldap_tls_ca_dir }}'
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 - test_grep_domain.stdout is defined
 - test_grep_domain.stdout | length > 0
 - test_id_provider.stdout is defined

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
+if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 SSSD_CONF="/etc/sssd/sssd.conf"
 LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -20,8 +20,8 @@
 changed_when: false
 check_mode: false
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 tags:
 - CCE-84062-9
 - NIST-800-53-CM-6(a)
@@ -40,8 +40,8 @@
 changed_when: false
 check_mode: false
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 tags:
 - CCE-84062-9
 - NIST-800-53-CM-6(a)
@@ -68,8 +68,8 @@
 option: ldap_tls_reqcert
 value: demand
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 - test_grep_domain.stdout is defined
 - test_grep_domain.stdout | length < 1
 - test_id_provider.stdout is defined
@@ -92,8 +92,8 @@
 option: ldap_tls_reqcert
 value: demand
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 - test_grep_domain.stdout is defined
 - test_grep_domain.stdout | length > 0
 - test_id_provider.stdout is defined

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
+if rpm --quiet -q sssd-common && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 SSSD_CONF="/etc/sssd/sssd.conf"
 LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -21,8 +21,8 @@
 changed_when: false
 check_mode: false
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 tags:
 - CCE-82437-5
 - NIST-800-53-CM-6(a)
@@ -42,8 +42,8 @@
 changed_when: false
 check_mode: false
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 tags:
 - CCE-82437-5
 - NIST-800-53-CM-6(a)
@@ -71,8 +71,8 @@
 option: ldap_id_use_start_tls
 value: 'true'
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 - test_grep_domain.stdout is defined
 - test_grep_domain.stdout | length < 1
 - test_id_provider.stdout is defined
@@ -96,8 +96,8 @@
 option: ldap_id_use_start_tls
 value: 'true'
 when:
+ - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"sssd-common" in ansible_facts.packages'
 - test_grep_domain.stdout is defined
 - test_grep_domain.stdout | length > 0
 - test_id_provider.stdout is defined

[marcusburghardt]

Automatus CS8, CS9 and Fedora are failing because the containers used for tests don't have grub.

[mildas]

grub2_enable_selinux should not be applicable on s390x at all. That should be done with platform, same as for grub2 group

Can the rule not be implemented via grub2_bootloader_argument template? The template does Ansible remediation properly using /sbin/grubby.

[marcusburghardt]

grub2_bootloader_argument

Nice. I will include the platform: grub2.
Regarding the template, I would prefer to test this with more time and propose a separate PR only for master branch. Are you fine with that?

[mildas]

Regarding the template, I would prefer to test this with more time and propose a separate PR only for master branch. Are you fine with that?

No problem with it for 0.1.65 release if it works as expected. I need to verify this approach is ok for aarch64. s390x should be ok now, because of platform.
Can you create upstream issue or preferably draft PR with the rule change to template? So we don't forget about it there.

[marcusburghardt]

Regarding the template, I would prefer to test this with more time and propose a separate PR only for master branch. Are you fine with that?

No problem with it for 0.1.65 release if it works as expected. I need to verify this approach is ok for aarch64. s390x should be ok now, because of platform. Can you create upstream issue or preferably draft PR with the rule change to template? So we don't forget about it there.

Sure. Once this PR is merged in stabilization, I port it to master to keep the branches aligned. Then I create a new PR for the template, ok?

[mildas]

Sure. Once this PR is merged in stabilization, I port it to master to keep the branches aligned. Then I create a new PR for the template, ok?

Ok, sounds fine.
This PR works fine, approving and merging.