What were you trying to do that didn't work?

The implementation of rule xccdf_org.ssgproject.content_rule_require_singleuser_auth has multiple issues:

1. it reports failure while it should not

   # oscap xccdf eval  --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_require_singleuser_auth  /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
   --- Starting Evaluation ---
   
   Title   Require Authentication for Single User Mode
   Rule    xccdf_org.ssgproject.content_rule_require_singleuser_auth
   Ident   CCE-80855-0
   Result  fail
   

2. it applies a remediation that is th exact original directive in the packaged unit

   # oscap xccdf eval  --profile xccdf_org.ssgproject.content_profile_stig --remediate  --rule  xccdf_org.ssgproject.content_rule_require_singleuser_auth  /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
   [...]
   --- Starting Remediation ---
   
   Title   Require Authentication for Single User Mode
   Rule    xccdf_org.ssgproject.content_rule_require_singleuser_auth
   Ident   CCE-80855-0
   Result  fixed
   
   # systemctl cat rescue.service | grep -B1 "ExecStart="
   ExecStartPre=-/bin/plymouth --wait quit
   ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
   --
   [Service]
   ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
   

3. the applied remediation is broken, because it redefines ExecStart without clearing the one from packaged unit file
   the proper remediation (if it was necessary) should be:

   [Service]
   ExecStart=
   ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
   

   This leads to getting a systemd error message:

   # systemctl status rescue.service --no-pager --full 
   ● rescue.service - Rescue Shell
      Loaded: bad-setting (Reason: Unit rescue.service has a bad unit file setting.)
   [...]
   Dec 20 09:24:13 vm-rhel8 systemd[1]: rescue.service: Service has more than one ExecStart= setting, which is only allowed for Type=oneshot services. Refusing.
   

4. the rule yaml file proposes an invalid fix, consisting on overridding /usr/lib/systemd/system/rescue.service, which is a packaged file (at least on Fedora family systems)
   Customizations should be done in drop-ins or /etc/systemd/system, but this then somehow contradicts with initial ocil text:

    77     Then, check if there is no custom rescue service configured in systemd configuration.
    78     Run the following command:
    79     <pre>$ sudo grep -r "^rescue.service$" /etc/systemd/system</pre>
    80     There should be no output.
    81     {{% endif %}}
    :
    83 fixtext: |-
    84     Configure {{{ full_name }}} to require authentication in single user mode.
    85 
    86     Add or update the following line in "/usr/lib/systemd/system/rescue.service":
    87     {{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15"] or 'rhel' in product -%}}
    88     ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
    89     {{%- else -%}}
    90     ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
    91     {{%- endif %}}
   

What is the impact of this issue to you?

Compliance failure

Please provide the package NVR for which the bug is seen:

scap-security-guide-0.1.75-1.el8.noarch
scap-security-guide-0.1.75-1.el9.noarch

How reproducible is this bug?:

Always, see above