Back to bug 1378489
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Šimon Lukašík | 2016-09-23 07:33:27 UTC | CC | slukasik | |
| Martin Preisler | 2016-09-26 19:20:31 UTC | CC | mpreisle | |
| Assignee | jlieskov | wsato | ||
| Marek Haicman | 2016-10-12 15:51:04 UTC | Doc Text | Cause: RHEL6 example kickstarts are same as the upstream - during installation, git is used to fetch newest scap-security-guide, which is then used for remediation. Consequence: Machine attempts to connect to the Internet, and uses the latest scap-security-guide, which is checked by RH QE and might be faulty. Workaround (if any): Add requirement to install scap-security-guide package and replace %post section with: oscap xccdf eval --remediate --profile #PROFILE# \ --results /root/oscap_pci_dss_remediation_result.xml \ --report /root/oscap_pci_dss_remediation_report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Where #PROFILE# is either pci-dss, usgcb-rhel6-server or stig-rhel6-server-upstream Result: Remediation is done based on SSG shipped with RHEL7.3, and it works even without connection to the Internet. | |
| Doc Type | If docs needed, set a value | Known Issue | ||
| Lenka Špačková | 2016-10-17 14:25:20 UTC | Docs Contact | mjahoda | |
| Mirek Jahoda | 2016-10-27 12:29:07 UTC | Flags | needinfo?(mhaicman) | |
| Marek Haicman | 2016-10-27 13:03:10 UTC | Flags | needinfo?(mhaicman) | |
| Mirek Jahoda | 2016-10-27 14:54:22 UTC | Doc Text | Cause: RHEL6 example kickstarts are same as the upstream - during installation, git is used to fetch newest scap-security-guide, which is then used for remediation. Consequence: Machine attempts to connect to the Internet, and uses the latest scap-security-guide, which is checked by RH QE and might be faulty. Workaround (if any): Add requirement to install scap-security-guide package and replace %post section with: oscap xccdf eval --remediate --profile #PROFILE# \ --results /root/oscap_pci_dss_remediation_result.xml \ --report /root/oscap_pci_dss_remediation_report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Where #PROFILE# is either pci-dss, usgcb-rhel6-server or stig-rhel6-server-upstream Result: Remediation is done based on SSG shipped with RHEL7.3, and it works even without connection to the Internet. | _scap-security-guide_ RHEL6 example kickstart files are not recommended for use The RHEL6 example kickstart files, which are included in the _scap-security-guide_ package, install the latest upstream version of the _scap-security-guide_ package. This version is not checked by the Red Hat QE team. To work around this problem, use the corrected RHEL6 example kickstart files from the _scap-security-guide_ package that is included in the current RHEL6 release, or manually change the %post section in the kickstart file. Note, the RHEL7 example kickstart files are not affected by this issue. |
| Lenka Špačková | 2016-10-27 15:50:00 UTC | Doc Text | _scap-security-guide_ RHEL6 example kickstart files are not recommended for use The RHEL6 example kickstart files, which are included in the _scap-security-guide_ package, install the latest upstream version of the _scap-security-guide_ package. This version is not checked by the Red Hat QE team. To work around this problem, use the corrected RHEL6 example kickstart files from the _scap-security-guide_ package that is included in the current RHEL6 release, or manually change the %post section in the kickstart file. Note, the RHEL7 example kickstart files are not affected by this issue. | _scap-security-guide_ example kickstart files for Red Hat Enterprise Linux 6 are not recommended for use The Red Hat Enterprise Linux 6 example kickstart files, which are included in the _scap-security-guide_ package for Red Hat Enterprise Linux 7, install the latest upstream version of the _scap-security-guide_ package. This version has not been checked by the Red Hat Quality Engineering team. To work around this problem, use the corrected Red Hat Enterprise Linux 6 example kickstart files from the _scap-security-guide_ package that is included in the current Red Hat Enterprise Linux 6 release, or manually change the %post section in the kickstart file. Note that the Red Hat Enterprise Linux 7 example kickstart files are not affected by this issue. |
| Lenka Špačková | 2016-10-27 16:03:27 UTC | Doc Text | _scap-security-guide_ example kickstart files for Red Hat Enterprise Linux 6 are not recommended for use The Red Hat Enterprise Linux 6 example kickstart files, which are included in the _scap-security-guide_ package for Red Hat Enterprise Linux 7, install the latest upstream version of the _scap-security-guide_ package. This version has not been checked by the Red Hat Quality Engineering team. To work around this problem, use the corrected Red Hat Enterprise Linux 6 example kickstart files from the _scap-security-guide_ package that is included in the current Red Hat Enterprise Linux 6 release, or manually change the %post section in the kickstart file. Note that the Red Hat Enterprise Linux 7 example kickstart files are not affected by this issue. | _scap-security-guide_ example kickstart files for Red Hat Enterprise Linux 6 are not recommended for use The Red Hat Enterprise Linux 6 example kickstart files, which are included in the _scap-security-guide_ package for Red Hat Enterprise Linux 7, install the latest version of the _scap-security-guide_ package directly from the upstream repository, which means that this version has not been checked by the Red Hat Quality Engineering team. To work around this problem, use the corrected Red Hat Enterprise Linux 6 example kickstart files from the _scap-security-guide_ package that is included in the current Red Hat Enterprise Linux 6 release, or alternatively, manually change the %post section in the kickstart file. Note that the Red Hat Enterprise Linux 7 example kickstart files are not affected by this problem. |
| Watson Yuuma Sato | 2016-12-12 14:12:28 UTC | CC | redhatrises | |
| Status | NEW | POST | ||
| Marek Haicman | 2017-03-17 13:51:37 UTC | Flags | needinfo?(mpreisle) | |
| Martin Preisler | 2017-03-17 18:08:07 UTC | Flags | needinfo?(mpreisle) | |
| Watson Yuuma Sato | 2017-03-30 13:06:04 UTC | Status | POST | MODIFIED |
| Fixed In Version | scap-security-guide-0.1.32-1.el7 | |||
| errata-xmlrpc | 2017-03-30 14:55:06 UTC | Status | MODIFIED | ON_QA |
| Marek Haicman | 2017-06-12 18:35:21 UTC | Comment 0 is private | 1 | 0 |
| Status | ON_QA | VERIFIED | ||
| QA Contact | qe-baseos-security | mhaicman | ||
| errata-xmlrpc | 2017-08-01 12:23:38 UTC | Status | VERIFIED | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-08-01 08:23:38 UTC |
Back to bug 1378489