Bug 1791583

Summary: [DOC] C2S security profile - services are now masked instead of disabled
Product: Red Hat Enterprise Linux 7 Reporter: Steffen Froemer <sfroemer>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.8CC: ggasparb, jcerny, jscheibe, lcervako, matyc, mhaicman, mjahoda, mmarhefk, openscap-maint, wsato
Target Milestone: rc   
Target Release: 7.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
.`SCAP Security Guide` now correctly disables services With this update, the `SCAP Security Guide` (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:52:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steffen Froemer 2020-01-16 08:17:07 UTC 
Description of problem:
The behavior of disabling services changed between RHEL-7.7 and RHEL-7.8. This should be mentioned somewhere (e.g. release notes)

Version-Release number of selected component (if applicable):
latest 

How reproducible:
always

Steps to Reproduce:
1. Install RHEL-7.8 beta with chosing C2S security profile directly inside anaconda (including nfs-utils, e.g.)
2. start nfs-server afterwards
3. 

Actual results:
Service can't be started

Expected results:
The requirement to unmask the services before possible to start should be notes in release notes, that this behavior changed. In C2S-profile of RHEL-7.7 the services were only disabled.

Additional info:
Comment 11 errata-xmlrpc 2020-09-29 19:52:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3909