Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-19505

Applying foreman.scap role from Satellite on client system where DISA STIG Security Policy is applied locally fails.

XMLWordPrintable

    • Moderate

      Description of problem:
      After applying the Ansible Role for the DISA Stig for RHEL of OpenScap 0.1.48 (https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip) to the client system locally when 'theforeman.foreman_scap_client' role is applied from Satellite server getting the following error:

      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      TASK [theforeman.foreman_scap_client : Set facts for rh certs] *****************

      fatal: [test.example.com]: FAILED! =>
      msg: |-
      the field 'args' has an invalid value ({u'rh_consumer_private_key_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_private_key_path') }}", u'rh_consumer_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_cert_path') }}", u'rh_ca_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_ca_cert_path') }}"}), and could not be converted to an dict.The error was: No JSON object could be decoded
      The error appears to be in '/usr/share/ansible/roles/theforeman.foreman_scap_client/tasks/main.yml': line 21, column 3, but may
      be elsewhere in the file depending on the exact syntax problem.
      The offending line appears to be:

      • name: 'Set facts for rh certs'
        ^ here
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      This ansible error seems to be a problem with: https://github.com/theforeman/ansible-foreman_scap_client
      More specifically this commit has introduced this new task "Set facts for rh certs": https://github.com/theforeman/ansible-foreman_scap_client/commit/b2bf6c595363174935f94b0f479d27e8eb5690ba

      Version-Release number of selected component (if applicable):

      How reproducible:
      Always

      Steps to Reproduce:
      1. Applied the ansible role DISA Stig for RHEL of OpenScap 0.1.48 (https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip) to the client.
      2. Executed theforeman.foreman_scap_client ansible role on the client

      Actual results:
      Role is failing with error.

      Expected results:
      it should get executed successfully.

      Additional info:
      It seems that the 'fapolicyd' service is causing the issue and not allowing the script to execute. After stopping the service, everything started working fine.

            jira-bugzilla-migration RH Bugzilla Integration
            rhn-support-kkinge Krutika Kinge
            RH Bugzilla Integration RH Bugzilla Integration
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: