Fix Ansible in rule ensure_redhat_gpgkey_installed

[jan-cerny]

We have discovered that in some Ansible Playbooks that we generate, for example in rhel8-playbook-anssi_bp28_high.yml, the remediation for rule ensure_redhat_gpgkey_installed doesn't ensure that Red Hat GPG key is installed.

Specifically, the Ansible Task Import RedHat GPG key is skipped during the Playbook execution because the condition (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 that is part of the when statement in that task is evaluated as false. The root cause is that the gpg_installed_fingerprints fact is a list but the gpg_valid_fingerprints is a tuple. Starting from Ansible 2.16, the difference filter changed behavior when its operands are each of a different type. Therefore a list of different items of a non-zero length is produced. An easy fix to this is to define both aforementioned facts as same data types, eg. lists.

Fixes: #11399, #11409

Review Hints:

1. Get a machine running RHEL 8 (for example RHEL-8.10.0-20240101.1) that contains ansible-core-2.16.2-1.el8.x86_64
2. Install the scap-security-guide built by Packit job rpm-build:centos-stream-8-x86_64 in this PR to that machine
3. Run the contest test /hardening/ansible/anssi_bp28_high on that machine
4. check that the Ansible Playbook that was run during the test finished completely and haven't terminated soon
5. check that the rule ensure_redhat_gpgkey_installed is PASS in the after scan

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -72,7 +72,9 @@
 
 - name: Set Fact - Valid fingerprints
   set_fact:
-    gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792")
+    gpg_valid_fingerprints:
+    - 567E347AD0044ADE55BA8A5F199E2F91FD431D51
+    - 6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792
   tags:
   - CCE-80795-8
   - CJIS-5.10.4.1

[codeclimate]

Code Climate has analyzed commit f0e38a3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5% (0.0% change).

View more on Code Climate.

[jan-cerny]

/packit retest-failed

[jan-cerny]

/packit retest-failed

[jan-cerny]

Automatus job fails because we run the test scenarios against a non-RHEL back end which is usually a CentOS container and there there are no Red Hat GPG keys, these keys are specific to RHEL. If you execute the Automatus tests against a RHEL 8 virtual machine back end the tests pass.

jcerny@dhcp129-133:~/work/git/scap-security-guide (issue11399)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remediate-using ansible ensure_redhat_gpgkey_installed
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-03-1646/test_suite.log
WARNING - Script fedora_key.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
INFO - Script key_installed.pass.sh using profile (all) OK
INFO - Script missing_key.fail.sh using profile (all) OK

[vojtapolasek]

Thank you @jan-cerny for discovering this problem. I tested it and it works as expected.