Bug 2030226

Summary: [RFE] RHV hypervisors should support running on hosts with the PCI-DSS security profile applied
Product: Red Hat Enterprise Virtualization Manager Reporter: Martin Perina <mperina>
Component: vdsmAssignee: Ales Musil <amusil>
Status: CLOSED ERRATA QA Contact: cshao <cshao>
Severity: high Docs Contact:
Priority: high    
Version: 4.4.0CC: cshao, emarcus, gdeolive, lsurette, srevivo, ycui
Target Milestone: ovirt-4.5.0Keywords: FutureFeature, ZStream
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: vdsm-4.50.0.10 Doc Type: Release Note
Doc Text:
The Red Hat Virtualization Host is now capable of running on a machine with the PCI-DSS security profile.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-26 17:22:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970529, 2015093, 2020620, 2029830    
Bug Blocks: 2073293    

Description Martin Perina 2021-12-08 09:03:24 UTC 
RHV hypervisors should be able to properly run on a host where official PCI-DSS profile for RHEL 8 is applied

https://www.redhat.com/en/resources/pci-dss-compliance-coalfire-analyst-paper
http://static.open-scap.org/ssg-guides/ssg-rhel8-guide-pci-dss.html
https://www.pcisecuritystandards.org/document_library

If running on the official PCI-DSS profile is not feasible due to technical limitations, then we need to create a hardening profile for RHV hypervisors based on the official PCI-DSS profile, where we would have disabled PCI-DSS features which blocks proper functionality of RHV hypervisor.
Comment 4 cshao 2022-05-05 10:01:28 UTC 
Test version:
RHVH-4.5-20220425.0-RHVH-x86_64-dvd1.iso 

Engine:
RHV 4.5.0-9

Test steps:
1. Install RHVH-4.5-20220425.0-RHVH-x86_64-dvd1.iso with PCI-DSS profile applied.
2. Reboot
3. Register to engine.

Test Result:
Instal RHVH with PCI-DSS profiles applied - pass
Register host to engine with PCI-DSS - pass

So the bug is fixed, change bug status to VERIFIED.
Comment 11 errata-xmlrpc 2022-05-26 17:22:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: RHV RHEL Host (ovirt-host) [ovirt-4.5.0] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4764