Applying remediations after full scan causes dependency problems between related rules

[matusmarhefka]

Example of a problem

There are 2 rules in a benchmark:

1. Prevent user from disabling the screen lock (tmux should not be listed in /etc/shells file, rule no_tmux_in_shells)
2. Install the tmux package (rule package_tmux_installed)

The tmux package is not installed by default, therefore result of remediation will be: 1: pass 2: fixed

But additional scan of the system will result in: 1: fail 2: pass This is because the remediation of the rule package_tmux_installed will add tmux into the /etc/shells file which will make the rule no_tmux_in_shells fail.

There are many more such cases (and slowly they are increasing in count), e.g.: https://github.com/ComplianceAsCode/content/issues/8913 https://github.com/ComplianceAsCode/content/issues/8487 https://github.com/ComplianceAsCode/content/issues/9132 https://github.com/ComplianceAsCode/content/issues/9250

Currently, the only workaround is to run the remediation once more which should fix those dependent rules. The issue can be solved by applying a remediation after scanning each rule which would solve the issue if rules are properly orderend in a benchmark (e.g. rules about package installation/removal are sorted first in the benchmark).