Bug 2015802

Summary: [RFE] RHV hypervisors should support running on host with DISA STIG security profile applied
Product: Red Hat Enterprise Virtualization Manager Reporter: Martin Perina <mperina>
Component: vdsmAssignee: Ales Musil <amusil>
Status: CLOSED ERRATA QA Contact: Guilherme Santos <gdeolive>
Severity: high Docs Contact:
Priority: high    
Version: 4.4.8CC: amusil, cshao, gdeolive, lsurette, mburman, michal.skrivanek, mkalinin, mtessun, pelauter, srevivo, ycui
Target Milestone: ovirt-4.5.0Keywords: FutureFeature
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.0.5 Doc Type: Release Note
Doc Text:
RHV Hypervisor 4.4 SP1, with exception to RHV-H, is able to run on a host with RHEL 8.6 DISA STIG openscap profile applied.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-26 17:22:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970529, 2015093, 2020620, 2021802, 2026301, 2027259, 2029830, 2050071, 2055149, 2055829, 2055860, 2066300, 2070036, 2070582    
Bug Blocks: 2072987    

Description Martin Perina 2021-10-20 06:41:04 UTC 
RHV hypervisors should be able to properly run on a host where official DISA STIG profile for RHEL 8 is applied

https://www.redhat.com/en/blog/disa-has-released-red-hat-enterprise-linux-8-stig
http://static.open-scap.org/ssg-guides/ssg-rhel8-guide-stig.html
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems

If running on official DISA STIG profile is not feasible due to technical limitations, then we need to create a hardening profile for RHV hypervisors based on official DISA STIG profile, where we would have disabled DISA STIG features which blocks proper functionality of RHV hypervisor.
Comment 1 Martin Perina 2021-10-20 06:41:48 UTC 
The effort to make RHV Manager working with DISA STIG is tracked in BZ2015796
Comment 2 Sandro Bonazzola 2022-03-29 16:16:40 UTC 
We are past 4.5.0 feature freeze, please re-target.
Comment 10 cshao 2022-04-26 12:23:43 UTC 
Update:
I tested pass with the latest RHEL 8.6(RHEL-8.6.0-20220423.0-x86_64-dvd1.iso), which fapolicyd >= 1.1-6.
Comment 12 cshao 2022-05-05 08:19:50 UTC 
(In reply to cshao from comment #10)
> Update:
> I tested pass with the latest RHEL
> 8.6(RHEL-8.6.0-20220423.0-x86_64-dvd1.iso), which fapolicyd >= 1.1-6.

Verify this bug according above comments.
Comment 19 errata-xmlrpc 2022-05-26 17:22:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: RHV RHEL Host (ovirt-host) [ovirt-4.5.0] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4764