Bug 1100367
| Summary: | some default provisioning templates produces system with insecure settings | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> | |
| Component: | Provisioning | Assignee: | Dmitri Dolguikh <dmitri> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kedar Bidarkar <kbidarka> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | Nightly | CC: | bbuckingham, dcleal, dmitri, jmontleo, kbidarka | |
| Target Milestone: | Unspecified | Keywords: | Triaged | |
| Target Release: | Unused | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| URL: | http://projects.theforeman.org/issues/5895 | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1100582 (view as bug list) | Environment: | ||
| Last Closed: | 2014-07-02 14:04:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1100582 | |||
1. System not registered: the "Katello Kickstart Default for RHEL" template should do register the host to Sat6/Katello automatically using the activation key specified on the host, if not, please file a separate BZ with a bit more information. The other two Kickstart* templates are supplied by Foreman and can register hosts if configured correctly, but aren't intended to be used in Sat6. 2. SELinux in permissive: I've cloned this to bug #1100582 to be fixed in Katello. 3. Services disabled: we'll address that via this BZ in Foreman. 4. Default packages: I've mentioned this on bug #1100582 in case Katello wish to specifically exclude it, but otherwise this is dictated by comps in the OS itself. Thank you for response! (In reply to Dominic Cleal from comment #3) > 1. System not registered: the "Katello Kickstart Default for RHEL" template > should do register the host to Sat6/Katello automatically using the > activation key specified on the host, if not, please file a separate BZ with > a bit more information. Have to get mine setup back. Will test and report later. > The other two Kickstart* templates are supplied by Foreman and can register > hosts if configured correctly, but aren't intended to be used in Sat6. I have reported bug 1104570 for this. > 2. SELinux in permissive: I've cloned this to bug #1100582 to be fixed in > Katello. Thank you. > 3. Services disabled: we'll address that via this BZ in Foreman. OK. > 4. Default packages: I've mentioned this on bug #1100582 in case Katello > wish to specifically exclude it, but otherwise this is dictated by comps in > the OS itself. Once I have mine setup I'll either forgot about it or test it and create separate bugzilla. This will need patching downstream against app/views/unattended/kickstart/, it's been merged to community-templates upstream. verified with SNAP10 1) systems do get registered automatically One requires the below parameters to be set for the Host. a) kt_org as "<the desired org> b) kt_activation_keys "<the ak to be registered with" [root@xxxx ~]# yum repolist Loaded plugins: product-id, subscription-manager repo id repo name status ACME_Corporation_RHEL7_RHEL7_x86_64 RHEL7_x86_64 4,305 repolist: 4,305 2) SELinux is running in enforced mode. [root@xxxx ~]# getenforce Enforcing 3) Below are the services which are enabled [root@xxxx ~]# systemctl list-unit-files | grep -i firewall dbus-org.fedoraproject.FirewallD1.service enabled firewalld.service enabled [root@xxxx ~]# systemctl list-unit-files | grep -i auditd auditd.service enabled [root@xxxx ~]# systemctl list-unit-files | grep -ie restorecond -ie yum-updatesd 4) yum-rhn-plugin still exists [root@xxxx ~]# rpm -qav | grep -i yum-rhn-plugin yum-rhn-plugin-2.0.1-4.el7.noarch the above details are for RHEL7 provisioned machines, the below output is from RHEL6 provisioned machines. oot@dlink65 ~]# yum repolist Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. ACME_Corporation_RHEL6_RHEL65_x86_64 | 2.5 kB 00:00 repo id repo name status ACME_Corporation_RHEL6_RHEL65_x86_64 RHEL65_x86_64 3,690 repolist: 3,690 [root@dlink65 ~]# getenforce Enforcing [root@dlink65 ~]# rpm -qav | grep -i rhn-plugin yum-rhn-plugin-0.9.1-48.el6.noarch [root@dlink65 ~]# chkconfig --list | grep -ie iptables -ie ip6tables -ie restorecon -ie auditd auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@dlink65 ~]# chkconfig --list | grep -i yum-updatesd [root@dlink65 ~]# NOTE:- For both RHEL6 and RHEL7 provisioning the template used was "Satellite Kickstart default for RHEL" This was delivered with 6.0.3, which is the Satellite 6 Beta. |
Description of problem: Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; ) Version-Release number of selected component (if applicable): Satellite-6.0.3-RHEL-6-20140521.0 How reproducible: always Steps to Reproduce: 1. Provision guest with these provisioning templates (or just inspect them): Kickstart default Kickstart RHEL default Katello Kickstart Default for RHEL Actual results: Not all issues are found in all templates, but what I consider most important: * system is not registered automatically * SELinux in permissive * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed Expected results: After installation, system should be registered by default. SELinux should be in enforcing At least ip*tables services should be running with sane configuration Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)