DISA openscap remediation playbook failing on cron.allow file not existing

Solution In Progress - Updated -

Issue

Using an openscap generated playbook for disa remediation:

# oscap xccdf generate fix --fix-type ansible --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output /tmp/stig-rhel7-role.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Running the playbook with only cron.allow related tasks, an error occurs:

# ansible-playbook --tags DISA-STIG-RHEL-07-021120,DISA-STIG-RHEL-07-021110 -k -i "server1," /tmp/stig-rhel7-role.yml

[...]
TASK [Ensure group owner 0 on /etc/cron.allow] **********************************************************************************************************************************************************************************************
failed: [server1] (item=/etc/cron.allow) => {"changed": false, "item": "/etc/cron.allow", "msg": "file (/etc/cron.allow) is absent, cannot continue", "path": "/etc/cron.allow", "state": "absent"}
        to retry, use: --limit @/root/stig_role_playbook.retry

Environment

Red Hat Enterprise Linux

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In