Bug 1305782
| Summary: | Support arbitrary configuration options for internal puppet classes in the installer | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Abel Lopez <abelopez> | |
| Component: | Installation | Assignee: | Stephen Benjamin <stbenjam> | |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.1.5 | CC: | bkearney, brubisch, chartwel, chrobert, dgupte, egolov, gkonda, hartsjc, howey.vernon, itewksbu, jcallaha, jnikolak, jpazdziora, kseifried, lpramuk, mgazdik, mlinden, mmccune, paldeala, parmstro, pdwyer, prsharma, pwayper, security-response-team, sreber, stbenjam, vivpatil, vmeghana, zhunting | |
| Target Milestone: | Unspecified | Keywords: | Security, Triaged | |
| Target Release: | Unused | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | foreman-installer-1.11.0.15-2 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1417085 (view as bug list) | Environment: | ||
| Last Closed: | 2017-03-06 15:11:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1115190, 1211642, 1305938, 1377060, 1417085, 1432305 | |||
|
Description
Abel Lopez
2016-02-09 08:53:28 UTC
This is Kurt from Product Security, just to let you know we're keeping an eye on this and I'll be talking to the Satellite 6 people about it. Thanks for reporting this! So restricting HTTP methods/verbs: <Location "/"> AllowMethods GET POST... </Location> This does not affect Trace, so we’ll also need: TraceEnable Off Per 6.3 planning, moving out non acked bugs to the backlog We have a few requests like this, and there may be other needs for custom apache settings. I think the best approach would be allowing the customer to provide their own Hiera configruation for apache, like this one: https://github.com/theforeman/foreman-installer/blob/develop/config/foreman.hiera/RedHat.yaml That way we can let them configure it in whatever way meets their security needs. *** Bug 1328300 has been marked as a duplicate of this bug. *** *** Bug 1328367 has been marked as a duplicate of this bug. *** *** Bug 1198115 has been marked as a duplicate of this bug. *** Opened a PR upstream with a proposal on how to solve this.
Satellite 6.3 installer allows the use of hiera, so you can now "reach" into puppet classes that are not exposed at the top of satellite-installer and configure those deeper settings. The PR adds support for some custom hiera config.
However, a warning: we have to be careful here - there are many settings that users should NOT change, so it should be documented on a case-by-case basis.
The ones mentioned here and in the linked BZ's should be safe to change and in general the various security guides recommend settings we don't care about too much (turning trace off, server signature, etc).
If the PR is accepted, users would:
Create a YAML file on the Satellite server:
/usr/share/foreman-installer/config/foreman.hiera/custom.yaml
With contents like this:
---
apache::server_tokens: Prod
apache::server_signature: Off
apache::trace_enable: Off
This will configure the relevant apache settings. Additional settings can be viewed in the code itself, or the apache module docs: https://forge.puppet.com/puppetlabs/apache
The names are usually fairly obvious.
After creating this file, re-run the installer and see Apache is configured accordingly:
[root@test-box foreman.hiera]# grep -r ServerSignature /etc/httpd
/etc/httpd/conf.d/15-default.conf: ServerSignature Off
/etc/httpd/conf.d/03-crane.conf: ServerSignature Off
/etc/httpd/conf.d/05-foreman.conf: ServerSignature Off
/etc/httpd/conf.d/05-foreman-ssl.conf: ServerSignature Off
/etc/httpd/conf/httpd.conf:ServerSignature Off
[root@test-box foreman.hiera]# grep -r ServerToken /etc/httpd
/etc/httpd/conf/httpd.conf:ServerTokens Prod
[root@test-box foreman.hiera]# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable Off
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16207 has been resolved. Upstream patch was accepted. Steps are same as comment #14, except the path is more user-friendly: /etc/foreman-install/custom-hiera.yaml Sorry that's installer not install: /etc/foreman-installer/custom-hiera.yaml *** Bug 1394093 has been marked as a duplicate of this bug. *** *** Bug 1396535 has been marked as a duplicate of this bug. *** Just making the title clearer, since this works for anything (e.g. puppet) not just apache *** Bug 1304022 has been marked as a duplicate of this bug. *** *** Bug 1397718 has been marked as a duplicate of this bug. *** *** Bug 1415139 has been marked as a duplicate of this bug. *** QE: How To Verify This Bug 1. Edit the file /etc/foreman-installer/custom-hiera.conf to have this content: --- apache::trace_enable: Off 2. Run satellite-installer 3. Confirm httpd config files have trace off [root@test-box foreman.hiera]# grep -r Trace /etc/httpd /etc/httpd/conf/httpd.conf:TraceEnable Off *** Bug 1421636 has been marked as a duplicate of this bug. *** FailedQA. @satellite-6.2.8-1.0.el7sat.noarch (snap3) foreman-installer-1.11.0.15-2.el7sat.noarch using reproducer in comment#26: # cat /etc/foreman-installer/custom-hiera.conf apache::trace_enable: Off # satellite-installer -S satellite Installing Done [100%] [...............................................................................................................................] Success! * Satellite is running at https://<FQDN> Initial credentials are admin / ZMHdV5x3W3c6Y8KU * To install additional capsule on separate machine continue by running: capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/foreman-installer/satellite.log # grep -r Trace /etc/httpd /etc/httpd/conf/httpd.conf:TraceEnable On >>> custom param still has no effect VERIFIED. I noticed that reproducer in comment#26 is not correct: custom-hiera.conf should be custom-hiera.yaml # cat /etc/foreman-installer/custom-hiera.yaml apache::trace_enable: Off # satellite-installer -S satellite ... # grep -r Trace /etc/httpd /etc/httpd/conf/httpd.conf:TraceEnable Off >>> installer takes custom param into account Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0447 *** Bug 1428016 has been marked as a duplicate of this bug. *** |