Bug 2050071
Summary: | Use authselect in RHV-H and appliance images | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Ales Musil <amusil> |
Component: | rhvm-appliance | Assignee: | Sanja Bonic <sanja> |
Status: | CLOSED ERRATA | QA Contact: | Wei Wang <weiwang> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.5.0 | CC: | ggasparb, maburgha, mavital, mhaicman, mperina, vpolasek, wsato |
Target Milestone: | ovirt-4.5.0-1 | Keywords: | CodeChange |
Target Release: | 4.5.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-07 15:22:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2015796, 2015802 |
Description
Ales Musil
2022-02-03 07:40:16 UTC
After further checking the ovirt-host does not need to be installed. Looks like the issue is within the remediation code e.g. https://github.com/ComplianceAsCode/content/blob/stable/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml#L13 The "authselect check" returns "System was not configured with authselect." rc=2 on those systems, but the remediation does not seem to take that in account. Hi, The problem seems be on the installation kickstart, it is not configuring 'authselect',I have noticed the 'authselect' command doesn't select a profile. I have logged into the image and selected a profile with: authselect select sssd with-fingerprint and then the PAM remediations from the STIG profile were applied successfully. Hi, just a note that we are looking into adding a rule into each profile to ensure that authselect is enabled during install. So if the kickstart doesn't explicitly select one authselect profile, our SCAP profile will select one (probably minimal or sssd). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Appliance (rhvm-appliance) security update [ovirt-4.5.0]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4931 |