DISA openscap remediation playbook failing on cron.allow file not existing
Issue
Using an openscap generated playbook for disa remediation:
# oscap xccdf generate fix --fix-type ansible --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output /tmp/stig-rhel7-role.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Running the playbook with only cron.allow related tasks, an error occurs:
# ansible-playbook --tags DISA-STIG-RHEL-07-021120,DISA-STIG-RHEL-07-021110 -k -i "server1," /tmp/stig-rhel7-role.yml
[...]
TASK [Ensure group owner 0 on /etc/cron.allow] **********************************************************************************************************************************************************************************************
failed: [server1] (item=/etc/cron.allow) => {"changed": false, "item": "/etc/cron.allow", "msg": "file (/etc/cron.allow) is absent, cannot continue", "path": "/etc/cron.allow", "state": "absent"}
to retry, use: --limit @/root/stig_role_playbook.retry
Environment
Red Hat Enterprise Linux
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.