`file_permissions_grub2_cfg` Ansible remediation conditions don't match Testing Farm systems

[comps]

Description of problem:

On RHEL-8.10, remediating

• /hardening/host-os/ansible/cis
• /hardening/host-os/ansible/cis_workstation_l2
• /hardening/host-os/ansible/pci-dss
• /hardening/host-os/ansible/anssi_bp28_high

fail because the Ansible remediation snippet doesn't get executed, likely due to

  when:
  - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
  - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
    )
  - file_exists.stat is defined and file_exists.stat.exists

failing to match something on the target system.

Ansible playbook output has:

TASK [Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/grub.cfg] ************
skipping: [localhost] => {"changed": false, "false_condition": "\"/boot/efi\" not in ansible_mounts | map(attribute=\"mount\") | list", "skip_reason": "Conditional result was False"}

(the system is not UEFI, just regular x86_64 BIOS)

SCAP Security Guide Version:

master @ 946c13c0175481e3e96abfb63446f755ffbb4267

Operating System Version:

RHEL-8

Steps to Reproduce:

Get a Testing Farm system via:

1. export TESTING_FARM_API_TOKEN=... for RH ranch generated on https://api.testing-farm.io/v0.1/login/redhat
2. pip install -U atex
3. atex tf reserve -c RHEL-8.10.0-Nightly -t 300