rhel7-playbook-stig.yml fatal error: openssl-pkcs11 package

[marcusburghardt]

Description of problem:

The Ansible playbook for RHEL7 STIG is failing with a fatal error when trying to install the openssl-pkcs11 package in a RHEL7.

SCAP Security Guide Version:

master as of 2022-11-26

Operating System Version:

RHEL7.9

Steps to Reproduce:

1. Remediate a RHEL7 system using the rhel7-playbook-stig.yml Playbook.

Actual Results:

TASK [Ensure openssl-pkcs11 is installed] **************************************
fatal: [192.168.122.69]: FAILED! => {"changed": false, "msg": "No package matching 'openssl-pkcs11' found available, installed or updated", "rc": 126, "results": ["No package matching 'openssl-pkcs11' found available, installed or updated"]}

Expected Results:

Playbook execution finishes without errors

Additional Information/Debugging Steps:

In RHEL7, the pam_pkcs11 package is probably the desired package instead of openssl-pkcs11 package.

[ggbecker]

That is a bit weird:

content/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml

Line 75 in 4eb7e4a

pkgname@rhel7: pam_pkcs11

[marcusburghardt]

That is a bit weird:

content/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml

Line 75 in 4eb7e4a

pkgname@rhel7: pam_pkcs11

Indeed. It seems it was not working and the "default" package was selected. We need to investigate this.

[mildas]

Very strange.
Package built from c99a90e commit has no Ensure openssl-pkcs11 is installed task in RHEL7 STIG playbook

[mlysonek@ibm-p8-rhevm-08 tmp]$ grep "Ensure openssl-pkcs11 is installed" usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml
[mlysonek@ibm-p8-rhevm-08 tmp]$ grep "Ensure pam_pkcs11 is installed" usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml
    - name: Ensure pam_pkcs11 is installed

I will look at it more tomorrow. So far no clue.

[marcusburghardt]

@mildas , are you comfortable assigning this issue to you?

[ggbecker]

This issue is very weird. Even the package used for testing has no occurrence of openssl-pkcs11 in the rhel7-playbook-stig.yml file. I guess we should also upload the playbook to the artifacts when there is a problem in the test for example. @mildas

[ggbecker]

I would rerun the test and check if it still manifests

[mildas]

Actually, I was wrong.
It is correct ONLY in rhel7 playbook from RHEL8 package. RHEL7 playbook from RHEL7 package is wrong.

scap-security-guide-0.1.65-1.gitc99a90e.el8.noarch.rpm
[mlysonek@ibm-p8-rhevm-08 tmp]$ grep "Ensure pam_pkcs11 is installed" usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml                                                                                                           
    - name: Ensure pam_pkcs11 is installed                                                                                                                                                                                                    
[mlysonek@ibm-p8-rhevm-08 tmp]$ grep "Ensure openssl-pkcs11 is installed" usr/share/scap-security-guide/ansible/rhel7-playbook-stig.ym

scap-security-guide-0.1.65-1.gitc99a90e.el7_9.noarch.rpm
[mlysonek@ibm-p8-rhevm-08 tmp]$ grep "Ensure pam_pkcs11 is installed" usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml
[mlysonek@ibm-p8-rhevm-08 tmp]$ grep "Ensure openssl-pkcs11 is installed" usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml                                                                                                       
    - name: Ensure openssl-pkcs11 is installed

I would rerun the test and check if it still manifests

I did test re-run and it's there. Running tests on latest master now.

@mildas , are you comfortable assigning this issue to you?

Well, not much comfortable :D But I will assign it and at least try.

[mildas]

@marcusburghardt I think all smartcard issues are related.

[ggbecker]

Maybe some race condition would make the build to generate bogus content... that will be really hard to find out.

[yuumasato]

I just built the content on a rhel7 machine and the Ensure openssl-pkcs11 is installed task is there.

[yuumasato]

In the pre-compile rule (build/rhel7/rules/install_smartcard_packages.yml) in RHEL7 I see this:

    backends: {}
    name: package_installed
    vars: {pkgname: openssl-pkcs11}

While I see this in the pre-compiled rule in Fedora:

template:
    name: package_installed
    vars:
        pkgname: pam_pkcs11
    backends: {}

[yuumasato]

Building with Python3 on RHEL7 solves the issue, 😞

[mildas]

git bisect says:

5c7cf430a1012bf3151872519f7873b99218f5cb is the first bad commit

5c7cf43

[mildas]

Feel free to assign the issue to yourself @evgenyz (or to anyone who will be working on it).