Bug 1378581

Summary: ospp kickstart example too strict
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: mhaicman, mpreisle, openscap-maint, swells
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.33-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:23:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2016-09-22 19:20:11 UTC 
Description of problem:
When using ospp kickstart shipped with scap-security-guide-0.1.30-3, remediation is actually so strict it makes the installed machine not usable. The only user created is the root, and ospp prevents root from logging in directly.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-3

How reproducible:
reliably

Steps to Reproduce:
1. install machine with /usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfg

Actual results:
Root cannot be logged in with password "server", specified in the KS, no other user created

Expected results:
Some other user is created to be used to log into the machine.

Additional info:
Origins in Bug 1351751
Comment 2 Martin Preisler 2016-10-03 19:10:41 UTC 
Shawn, could you please confirm that this is a bug?
Comment 4 Watson Yuuma Sato 2017-04-26 12:48:34 UTC 
Upstream fix: https://github.com/OpenSCAP/scap-security-guide/pull/1969
Comment 7 Marek Haicman 2017-06-13 22:04:16 UTC 
Verified manually that kickstart

ssg-rhel7-ospp-ks.cfg

in ssg version

scap-security-guide-0.1.33-4.el7.noarch

creates user admin, is in wheel group [thus sudo-able] and has password admin123.

There are two issues though:
firewall is set to drop, thus SSG connection is not possible, and PAM hardening related to smartcard enablement prevets any user from login from console.
Comment 9 Marek Haicman 2017-06-14 10:02:57 UTC 
Issue with the PAM hardening is tracked separately in Bug 1461330

Apart from this issue, kickstart is working (see Comment 7).
Comment 10 errata-xmlrpc 2017-08-01 12:23:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064