Recently we enabled the DISA STIG Checklist for RHEL 7 site and subscribed our RHEL 7 and CentOS 7 boxes to the site. However, while the RHEL 7 computers reported as expected, the CentOS computers show all checks as “Not Applicable” in the Compliance web interface.
It’s clear from the Site Level Relevance and Relevance 1 of all of the fixlets in the site that the checklist is meant to cover CentOS 7 in addition to RHEL 7:
(version of client >= "8.1.551.0") AND (((exists match (regex "Red Hat Enterprise (Client|Server|Workstation) 7") of it) OR (exists match (regex "CentOS 7") of it)) of name of operating system)
Once we started investigating, it was clear that the issue was that the three applicability fixlets in the site (Applicability - Red Hat Enterprise Linux 7, Applicability - Red Hat Enterprise Linux 7 - Deploy and Run, Applicability - Red Hat Enterprise Linux 7 - Filesystem Scan) have an additional bit of relevance that is only applicable on RHEL 7 and not CentOS 7:
(version of client >= "9.5.2") and (((if windows of it then "windows" else if unix of it then "unix" else if mac of it then "macos" else "undefined") of operating system = "unix") and (((((exists (concatenation ", " of (it as string) of (exist matches (regex "^7.*$") of (it as string) of version of rpm version record of it) of packages "redhat-release-client" of rpm) whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0) or exists (concatenation ", " of (it as string) of (exist matches (regex "^7.*$") of (it as string) of version of rpm version record of it) of packages "redhat-release-workstation" of rpm) whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)) or exists (concatenation ", " of (it as string) of (exist matches (regex "^7.*$") of (it as string) of version of rpm version record of it) of packages "redhat-release-server" of rpm) whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)) or exists (concatenation ", " of (it as string) of (exist matches (regex "^7.*$") of (it as string) of version of rpm version record of it) of packages "redhat-release-computenode" of rpm) whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0)) or ((1 = number of packages "redhat-release-virtualization-host" of rpm and exists (concatenation ", " of (it as string) of ((number of substrings separated by ", " whose (it is not "") whose (it as boolean) of it > 0) of concatenation ", " of (it as string) of (exist matches (regex "7") of it) of parenthesized parts of matches (regex "^Red Hat Enterprise Linux release ([0-9])\.[0-9]+$") of item 1 of it) of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^Red Hat Enterprise Linux release ([0-9])\.[0-9]+$") of it) of it, "^Red Hat Enterprise Linux release ([0-9])\.[0-9]+$", 1) of it) of files "/etc/redhat-release") whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0))))))
I had always thought the applicability fixlets were there to help you determine if you had computers subscribed to the site unnecessarily, but now it is clear that any computers not relevant for the applicability fixlets will show as Not Applicable in Compliance regardless of the results of the check fixlets.
We confirmed this by creating a custom copy of the site and removing Relevance 2 from the applicability fixlets and now CentOS 7 reports as expected in the Compliance web interface.
Is it intended that the DISA STIG Checklist for RHEL 7 not work with CentOS 7 (in which case CentOS 7 should be removed from the Site Level Relevance and fixlet relevance)? Or was Relevance 2 in the applicability fixlets in error and was not tested against CentOS 7?