Bug 1570956

Hello, thank you for the detailed report.

Indeed, SSG generates Anaconda remediations for mount_options rules regarding mount point /dev/shm. And as mentioned /dev/shm is mounted during boot, and it cannot be remediate during install time.

Fix is to stop generating Anaconda remediations for mount_options rules for mount points in /dev/shm.

As far as I can see, the "C2S for Red Hat Enterprise Linux 7" profile is also affected by this.

Hi,

Are there any steps available as a workaround to apply security profiles when performing the initial RHEL 7.5 OS install?

Hello Chadd,

It may not be easy workaround this.
One way I see is to make a customization that unselects the "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" and "nodev" rules, merge the customization into the datastream, and feed it through the network to oscap-anaconda-addon. More details here: https://bugzilla.redhat.com/show_bug.cgi?id=1479008#c7

Last two commits of PR https://github.com/OpenSCAP/scap-security-guide/pull/3162 should fix this issue.

*** Bug 1525251 has been marked as a duplicate of this bug. ***

Verified fix in version scap-security-guide-0.1.40-5.el7

NEW (scap-security-guide-0.1.40-5.el7):
$ grep "^part /dev" /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
<no findings>

OLD (scap-security-guide-0.1.36-9.el7_5):
$ grep "^part /dev" /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
part /dev/shm --mountoptions="nodev"
part /dev/shm --mountoptions="noexec"
part /dev/shm --mountoptions="nosuid"
part /dev/shm --mountoptions="nodev"
part /dev/shm --mountoptions="noexec"
part /dev/shm --mountoptions="nosuid"

Note that ssg-rhel7-ds.xml is not the only file that was affected by this bug. Please check all .xml files in that directory.

Best regards,
someone from the CentOS QA team

Hello Anssi,
RHEL7 package ships only these datastreams:
$ ls *ds.xml
ssg-firefox-ds.xml  ssg-jre-ds.xml  ssg-rhel6-ds.xml  ssg-rhel7-ds.xml

As far as I can tell, the only DS applicable to anaconda installation is rhel7 one.

If you are concerned about CentOS content, the way upstream handles centos (it's mostly a rebrand of rhel7 content, done by build system - no separate data sources) patches should be applicable there as well :)

I was referring to ssg-rhel7-xccdf.xml which also has(/had?) those entries, but perhaps it's okay to keep them in that catalog if they are still present. Yes, what CentOS does is not your concern, I'm just trying to make sure RHEL gets this right. If RHEL 7.6 installs using the "Standard System Security Profile" and "C2S for Red Hat Enterprise Linux 7" profiles work OK with the new scap-security-guide then everything's fine.

Ah, I see. xccdf is one of the components in the datastream. For legacy reasons, we ship both DS, and exploded components (xccdf ,oval, cpe-*, ocil). These are no different, and thus checking DS means other files are ok as well.

Please note that due to specifics of SCAP Security Guide CPE usage, it's recommended to use datastreams wherever possible. (because if you use xccdf, you have to also explicitly use cpe dictionary shipped along it. (Anaconda uses datastreams for the same reasons for some time now)

Thank you for the double check, appreciated :)

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308