Bug 1636847
| Summary: | No SCAP security guide on Anaconda security policy page | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sandro Bonazzola <sbonazzo> |
| Component: | oscap-anaconda-addon | Assignee: | Matěj Týč <matyc> |
| Status: | CLOSED WONTFIX | QA Contact: | Release Test Team <release-test-team-automation> |
| Severity: | high | Docs Contact: | Sharon Moroney <smoroney> |
| Priority: | high | ||
| Version: | 7.6 | CC: | bugs, cshao, huzhao, jomurphy, matyc, mhaicman, openscap-maint, qiyuan, sbonazzo, weiwang, wsato, yaniwang, ycui, yturgema |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
The content location detection code is not working on Red Hat Virtualization Hosts
Red Hat Virtualization Hosts cannot select the hardening profile from locally-installed content. To work around this problem, use the _oscap-anaconda-addon_ package to fetch the Red Hat Enterprise Linux datastream file from a URL.
1. Upload the `ssg-rhel7-ds.xml` datastream file from the Red Hat Enterprise Linux 7 _scap-security-guide_ package to your network so it can be discovered by Anaconda.
To do so:
a) Use Python to set up a web server in a directory that contains the `ssg-rhel7-ds.xml` datastream file and listens on port 8000. Example: python2 -m SimpleHTTPServer, or python3 -m http.server.
or,
b) Upload the `ssg-rhel7-ds.xml` datastream file to a HTTPS or FTP Server.
2. In the *Security Policy* window of Anaconda’s Graphical User Interface, click *Change Content* and enter the URL that points to the `ssg-rhel7-ds.xml` datastream file, for example: http://gateway:8000/ssg-rhel7-ds.xml or ftp://my-ftp-server/ssg-rhel7-ds.xml.
The `ssg-rhel7-ds.xml` datastream file is now available and Red Hat Virtualization Hosts can select the hardening profile.
|
Story Points: | --- |
| Clone Of: | 1634239 | Environment: | |
| Last Closed: | 2020-03-02 11:43:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sandro Bonazzola
2018-10-08 06:26:09 UTC
This corresponds to upstream issues https://github.com/OpenSCAP/oscap-anaconda-addon/issues/80 and https://github.com/OpenSCAP/oscap-anaconda-addon/issues/79 Hello Sharon, - datastream is a term defined in the SCAP standard. It is a XML file that a SCAP scanner s.a. oscap is able to consume. Datastreams contain definitions / checks for various security rules, and if one wants to install a RHEL7 system, one needs a RHEL7 datastream. Typically, the filename of that datastream is ssg-rhel7-ds.xml, as this is the name that we use in the scap-security-guide package and that file should have been selected. - The button is in the oscap "Security Policy" spoke. - Those URLs were examples, position of s.a. is incorrect, but it may be any of those URLs or none of them - it just depends on where the datastream ends up. - By content I meant the datastream. The datastream typically contains several applicable security profiles. I would not omit those URL examples, as they may increase confidence about how those URLs should look like. Next, I have realized that affected users may not be 100% certain concerning what a datastream is, so I would mention that they want to upload the ssh-rhel7-ds.xml file from the scap-security-guide package that is shipped in the corresponding version of RHEL7. Excuse me, I forgot to reply to you. I approve the last version, thank for your work! Hi Sharon, you are right - it is a package. |