Description of problem:

The Ansible Playbook generated from the shipped profile and Ansible Playbook generated
from customized profile differ in more values than were actually customized.

Version-Release number of selected component (if applicable):

scap-workbench-1.2.1-13.el9.x86_64
openscap-1.3.8-1.el9.x86_64
scap-security-guide-0.1.66-1.el9_1.noarch

How reproducible:

deterministically

Steps to reproduce:

1. Run scap-workbench from the terminal.
2. On the "Open SCAP Security Guide" screen, select RHEL 9 and click on Load Content.
3. Choose "CIS RHEL 9 Benchmark for Level 2 - Server" profile in the Profile dropdown.
4. Click on "Generate Remediation Role", generate an Ansible playbook and save it to a file eg. "cis.yml".
5. Click on Customize, choose custom profile ID, change the value of var_accounts_tmout value and confirm "OK".
6. Click on "Generate Remediation Role", generate an Ansible playbook and save it to a file eg. "cis_customized.yml".
7. Run a diff of the 2 playbooks in the terminal: diff -u cis.yml cis_customized.yml

Actual results:

A lot of values differ in the generated Playbook. But only a single value was changed in the Customization Window.

8<--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

[test@kvm-06-guest39 ~]$ diff -u cis.yml cis_customized.yml
— cis.yml 2023-07-31 10:36:00.955711462 -0400
+++ cis_customized.yml 2023-07-31 10:36:41.509035586 -0400
@@ -1,7 +1,7 @@
—
###############################################################################
#

• 1. Ansible Playbook for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
     +# Ansible Playbook for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server [CUSTOMIZED]
     #

1. Profile Description:
2. This profile defines a baseline that aligns to the "Level 2 - Server"
   @@ -10,13 +10,13 @@
3. This profile includes Center for Internet Security®
4. Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
   #
   1. Profile ID: xccdf_org.ssgproject.content_profile_cis
      +# Profile ID: xccdf_org.ssgproject.content_profile_cis_customized
5. Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-9
6. Benchmark Version: 0.1.66
7. XCCDF Version: 1.2
   #
8. This file was generated by OpenSCAP 1.3.8 using:
   1. $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis --fix-type ansible xccdf-file.xml
      +# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_customized --fix-type ansible xccdf-file.xml
      #
9. This Ansible Playbook is generated from an OpenSCAP profile without preliminary evaluation.
10. It attempts to fix every selected rule, even if the system is already compliant.
    @@ -33,28 +33,28 @@
    vars:
    var_system_crypto_policy: !!str DEFAULT
    inactivity_timeout_value: !!str 900

• var_screensaver_lock_delay: !!str 5
  + var_screensaver_lock_delay: !!str 0
  var_sudo_logfile: !!str /var/log/sudo.log
  var_sudo_timestamp_timeout: !!str 5
• var_authselect_profile: !!str sssd
• login_banner_text: !Unable to render embedded object: File ((Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.) not found..(
  |fedora|rhel|sle|ubuntu)).)$
  + var_authselect_profile: !!str minimal
  + login_banner_text: !!str ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
  var_password_pam_remember: !!str 5
• var_password_pam_remember_control_flag: !!str requisite,required
  + var_password_pam_remember_control_flag: !!str requisite
  var_accounts_passwords_pam_faillock_deny: !!str 3
• var_accounts_passwords_pam_faillock_unlock_time: !!str 900
• var_password_pam_minclass: !!str 4
• var_password_pam_minlen: !!str 14
  + var_accounts_passwords_pam_faillock_unlock_time: !!str 0
  + var_password_pam_minclass: !!str 3
  + var_password_pam_minlen: !!str 15
  var_password_pam_retry: !!str 3
• var_account_disable_post_pw_expiration: !!str 30
• var_accounts_maximum_age_login_defs: !!str 365
• var_accounts_minimum_age_login_defs: !!str 1
  + var_account_disable_post_pw_expiration: !!str 35
  + var_accounts_maximum_age_login_defs: !!str 60
  + var_accounts_minimum_age_login_defs: !!str 7
  var_accounts_password_warn_age_login_defs: !!str 7
• var_accounts_tmout: !!str 900
  + var_accounts_tmout: !!str 1800
  var_accounts_user_umask: !!str 027
  var_auditd_action_mail_acct: !!str root
• var_auditd_admin_space_left_action: !!str halt
  + var_auditd_admin_space_left_action: !!str single
  var_auditd_max_log_file: !!str 6
• var_auditd_max_log_file_action: !!str keep_logs
  + var_auditd_max_log_file_action: !!str rotate
  var_auditd_space_left_action: !!str email
  sysctl_net_ipv6_conf_all_accept_ra_value: !!str 0
  sysctl_net_ipv6_conf_all_accept_redirects_value: !!str 0
  @@ -79,13 +79,13 @@
  var_selinux_policy_name: !!str targeted
  var_selinux_state: !!str enforcing
  var_postfix_inet_interfaces: !!str loopback-only
• var_multiple_time_servers: !!str 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
  + var_multiple_time_servers: !!str 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
  var_sshd_set_keepalive: !!str 0
• sshd_idle_timeout_value: !!str 900
  + sshd_idle_timeout_value: !!str 300
  var_sshd_set_login_grace_time: !!str 60
  sshd_max_auth_tries_value: !!str 4
  var_sshd_max_sessions: !!str 10
• var_sshd_set_maxstartups: !!str 10:30:60
  + var_sshd_set_maxstartups: !!str 10:30:100
  tasks:
• name: Ensure aide is installed
  package:

8<--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

Expected results:

The Playbooks will differ only in the variable value that has been changed in the Customization UI and other values stay the same.

Additional info:

This bug is also reproducible on Fedora 38 with these RPM versions:
scap-workbench-1.2.1-12.fc37.x86_64
openscap-1.3.8-1.fc38.x86_64
scap-security-guide-0.1.68-1.fc38.noarch