Bug 1791583

Summary: [DOC] C2S security profile - services are now masked instead of disabled
Product: Red Hat Enterprise Linux 7 Reporter: Steffen Froemer <sfroemer>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: VERIFIED --- QA Contact: Marek Haicman <mhaicman>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.8CC: ggasparb, jcerny, jscheibe, matyc, mhaicman, mjahoda, mmarhefk, openscap-maint, wsato
Target Milestone: rc   
Target Release: 7.9   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Enhancement
Doc Text:
.`SCAP Security Guide` now correctly disables services With this update, the `SCAP Security Guide` (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steffen Froemer 2020-01-16 08:17:07 UTC
Description of problem:
The behavior of disabling services changed between RHEL-7.7 and RHEL-7.8. This should be mentioned somewhere (e.g. release notes)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RHEL-7.8 beta with chosing C2S security profile directly inside anaconda (including nfs-utils, e.g.)
2. start nfs-server afterwards

Actual results:
Service can't be started

Expected results:
The requirement to unmask the services before possible to start should be notes in release notes, that this behavior changed. In C2S-profile of RHEL-7.7 the services were only disabled.

Additional info: