From 00cfd2d541f716802714bb93b89b337b67990509 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sun, 20 Feb 2022 20:18:42 +0000
Subject: [PATCH] import scap-security-guide-0.1.60-4.el8

---
 ...ve-krb5-workstation-on-ovirt-PR_8233.patch | 26 +++++++++++
 ...nsible-service-disabled-task-PR_8226.patch | 44 +++++++++++++++++++
 SPECS/scap-security-guide.spec                |  8 +++-
 3 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch
 create mode 100644 SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch

diff --git a/SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch b/SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch
new file mode 100644
index 0000000..588fa8e
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch
@@ -0,0 +1,26 @@
+From 9c57a8718f82458fe3784263fdb1e51bd08fff83 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 16 Feb 2022 12:46:21 +0100
+Subject: [PATCH] Do not remove krb5-workstation package on oVirt
+
+---
+ .../system-tools/package_krb5-workstation_removed/rule.yml  | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+index 4d8951a9148..813474842ec 100644
+--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
++++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+@@ -27,6 +27,12 @@ references:
+     stigid@ol8: OL08-00-010162
+     stigid@rhel8: RHEL-08-010162
+ 
++platforms:
++{{{ rule_notapplicable_when_ovirt_installed() | indent(4)}}}
++
++warnings:
++{{{ ovirt_rule_notapplicable_warning("RHV hosts require ipa-client package, which has dependency on krb5-workstation") | indent(4) }}}
++
+ {{{ complete_ocil_entry_package(package="krb5-workstation") }}}
+ 
+ template:
diff --git a/SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch b/SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
new file mode 100644
index 0000000..7103ed1
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
@@ -0,0 +1,44 @@
+From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 15 Feb 2022 14:12:55 +0100
+Subject: [PATCH] Simply mask services that should be disabled
+
+At some point Ansible started to return much more services in
+ansible_facts.services, including services that are not installed.
+This caused the task to think that the service exists, attempt to stop
+and mask the service.
+But systemd module fatal errors on non existing services, although the
+module ends up masking the service in question.
+
+The bash remediations simply mask the service, even if it is not
+installed.
+Let's do the same with Ansible, mask the service and ignore errors.
+
+One down side is that every non-existing service is reported as an
+error, which is ignored. But still a fatal error.
+---
+ shared/templates/service_disabled/ansible.template | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
+index 550ed563056..254f41ac7fd 100644
+--- a/shared/templates/service_disabled/ansible.template
++++ b/shared/templates/service_disabled/ansible.template
+@@ -6,16 +6,13 @@
+ {{%- if init_system == "systemd" %}}
+ - name: Disable service {{{ SERVICENAME }}}
+   block:
+-  - name: Gather the service facts
+-    service_facts:
+-
+   - name: Disable service {{{ SERVICENAME }}}
+     systemd:
+       name: "{{{ DAEMONNAME }}}.service"
+       enabled: "no"
+       state: "stopped"
+       masked: "yes"
+-    when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services'
++    ignore_errors: 'yes'
+ 
+ - name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
+   command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 56d46f3..2b63dce 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -6,7 +6,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.60
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@@ -58,6 +58,8 @@ Patch36:		scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
 Patch37:		scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
 Patch38:		scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
 Patch39:		scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
+Patch40:		scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
+Patch41:		scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -162,6 +164,10 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif
 
 %changelog
+* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
+- Fix Ansible service disabled tasks (RHBZ#2014485)
+- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
+
 * Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
 - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
 - Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)