Some awk-ing in the ssg-rhel7-xccdf.xml from 1.36 showed the following rules with only ansible fixes:
accounts_root_path_dirs_no_write
audit_rules_dac_modification_fchmod
audit_rules_dac_modification_fchown
audit_rules_privileged_commands
audit_rules_privileged_commands_su
audit_rules_privileged_commands_sudo
audit_rules_unsuccessful_file_modification_open
dconf_gnome_banner_enabled
dconf_gnome_disable_automount
dconf_gnome_disable_ctrlaltdel_reboot
dconf_gnome_disable_geolocation
dconf_gnome_disable_restart_shutdown
dconf_gnome_disable_thumbnailers
dconf_gnome_disable_user_admin
dconf_gnome_disable_user_list
dconf_gnome_disable_wifi_create
dconf_gnome_disable_wifi_notification
dconf_gnome_screensaver_lock_delay
dconf_gnome_screensaver_user_info
firewalld_sshd_port_enabled
gnome_gdm_disable_automatic_login
gnome_gdm_disable_guest_login
mount_option_dev_shm_nodev
mount_option_dev_shm_noexec
mount_option_dev_shm_nosuid
mount_option_home_nodev
mount_option_home_nosuid
mount_option_var_tmp_nodev
mount_option_var_tmp_noexec
mount_option_var_tmp_nosuid
rpm_verify_hashes
sebool_httpd_can_network_connect
sebool_secure_mode
set_password_hashing_algorithm_libuserconf
sshd_disable_rhosts
sshd_enable_x11_forwarding
sssd_memcache_timeout
sssd_offline_cred_expiration
sssd_ssh_known_hosts_timeout