What were you trying to do that didn't work?

The rule service_bluetooth_disabled passed even if the service isn't disabled.

Please provide the package NVR for which bug is seen:

openscap-1.2.17-15.el7_9.x86_64

How reproducible:

Deterministic

Steps to reproduce

1. Obtain ssg-rhel7-ds.xml built from upstream ComplianceAsCode content as of HEAD 4f25fa7 as of 2024-02-05.
2. Start a graphical installation of a RHEL 7 Server with GUI virtual machine
3. In security policy scope, fetch the aforementioned DS and select the CIS Workstation Level 2 profile
4. Perform the installation and finish and reboot.
5. sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_workstation_l2 --rule xccdf_org.ssgproject.content_rule_service_bluetooth_disabled --results-arf service_bluetooth_disabled.arf.xml ./ssg-rhel7-ds.xml

Expected results

The rule service_bluetooth_disabled fails because the bluetooth service isn't disabled.

Actual results

The rule service_bluetooth_disabled passed because OpenSCAP can't read any property of the bluetooth.service systemd unit. In the ARF results we can see that the objects oval:ssg-obj_service_loadstate_is_masked_service_bluetooth_disabled_bluetooth:obj:1 and oval:ssg-obj_service_not_running_service_bluetooth_disabled_bluetooth:obj:1 are both evaluated as "does not exist". This result is wrong and doesn't correspond to the output of the "systemctl show bluetooth.service" command because the systemctl can correctly list the units.

In past we have experienced a similar problem in https://github.com/ComplianceAsCode/content/issues/10424 which has been fixed upstream by https://github.com/OpenSCAP/openscap/pull/1980. Unfortunately, this fix hasn't been backported to RHEL 7.