What were you trying to do that didn't work?

Running OSCAP remediation's for PCI-DSS results in many failures and errors:

1. oscap xccdf eval  --profile xccdf_org.ssgproject.content_profile_pci-dss --remediate  /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

The above command produces many errors and failures:

44 errors

11 failures

36 passes

What is the impact of this issue to you?

The --remediate option does not bring the system to comply with the selected PCI-DSS profile.  

Please provide the package NVR for which the bug is seen:

1. cat /etc/redhat-release 
   Red Hat Enterprise Linux release 10.0 Beta (Coughlan)

1. uname -r
   6.11.0-0.rc5.22.el10.x86_64

1. rpm -q openscap
   openscap-1.4.0-2.el10.x86_64

   How reproducible is this bug?:

I only ran this once but I assume its 100% reproducible. 

Steps to reproduce

1. Install RHEL 10 beta and configure repositories
2. Install openscap packages
3. Scan the system against pci-dss compliance policy
4. Run the oscap command to remediate against the pci-dss policy

Expected results

I expected less errors and failures.  

Actual results

The --remediate option resulted in 36 passes but 55 checks were either failures or errors.  

As a side note, I generated a remediation ansible playbook which also did not work as expected.  The playbook failed on the following check:

TASK [Ensure audispd-plugins is installed] ************************************************************************************************************

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to validate GPG signature for audispd-plugins-4.0-9.el10.x86_64: Public key for audispd-plugins-4.0-9.el10.x86_64.rpm is not installed"}

After the playbook run, the system could no longer install or update any packages with the following error:

1. dnf update
   Updating Subscription Management repositories.
   Unable to read consumer identity

This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.

You have enabled checking of packages via GPG keys. This is a good thing.
However, you do not have any GPG public keys installed. You need to download
the keys for packages you wish to install and install them.
You can do that by running the command:
    rpm --import public.gpg.key

Alternatively you can specify the url to the key you would like to use
for a repository in the 'gpgkey' option in a repository section and DNF
will install it for you.

For more information contact your distribution or package provider.

Problem repository: [rhel-10.0.beta-baseos-rpms]
bandwidth: 0
baseurl: http://download.devel.redhat.com/rhel-10/nightly/RHEL-10-Public-Beta/latest-RHEL-10.0/compose/BaseOS/$basearch/os/
cachedir: /var/cache/dnf
cost: 1000
countme: 0
deltarpm: 0
deltarpm_percentage: 75
enabled: 1
enabled_metadata: 
enablegroups: 1
exclude: 
excludepkgs: 
fastestmirror: 0
gpgcheck: 1
gpgkey: 
includepkgs: 
ip_resolve: whatever
max_downloads_per_mirror: 3
max_parallel_downloads: 3
mediaid: 
metadata_expire: 172800
metalink: 
minrate: 1000
mirrorlist: 
module_hotfixes: 0
name: rhel-10.0.beta-baseos-rpms
password: 
priority: 99
protected_packages: dnf, redhat-release, setup, systemd, systemd-udev, grub2-tools-minimal, sudo, yum, grub2-pc, redhat-release, setup, systemd, systemd-udev, grub2-tools-minimal, sudo, yum, grub2-pc
proxy: 
proxy_auth_method: any
proxy_password: 
proxy_sslcacert: 
proxy_sslclientcert: 
proxy_sslclientkey: 
proxy_sslverify: 1
proxy_username: 
repo_gpgcheck: 0
retries: 10
skip_if_unavailable: 0
sslcacert: 
sslclientcert: 
sslclientkey: 
sslverify: 1
sslverifystatus: 0
throttle: 0
timeout: 30
type: 
user_agent: libdnf (Red Hat Enterprise Linux 10.0; generic; Linux.x86_64)
username: