Bug 2172264

Summary: tftp error when you add the "Network Servers" Software Group and select any CIS Security Profiles
Product: Red Hat Enterprise Linux 9 Reporter: ckrell
Component: oscap-anaconda-addonAssignee: Matěj Týč <matyc>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: high Docs Contact: Jan Fiala <jafiala>
Priority: high    
Version: 9.1CC: gfialova, jafiala, jcastran, jcerny, jstodola, matyc, mhaicman, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: oscap-anaconda-addon-2.0.0-17.el9 Doc Type: Bug Fix
Doc Text:
.`oscap-anaconda-addon` can now harden Network Servers for CIS Previously, installing RHEL Network Servers with a CIS security profile (`cis`, `cis_server_l1`, `cis_workstation_l1`, or `cis_workstation_l2`) was not possible with the Network Servers package group selected. This problem is fixed by excluding the `tftp` package in `oscap-anaconda-addon-2.0.0-17.el9` provided with RHEL 9.3. As a consequence, you can install CIS-hardened RHEL Network Servers with the Network Servers package group.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:36:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ckrell 2023-02-21 19:05:55 UTC 
Description of problem:
When installing RHEL 9.1 - if you select the package group "Network Servers" and select any of the "CIS" Security Profiles you see an error message "package 'tftp' has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the install"

Version-Release number of selected component (if applicable):
RHEL 9.1

How reproducible:
Everytime

Steps to Reproduce:
1. Start a RHEL 9.1 Anaconda GUI install
2. Select Minimal Base Environment from the Software Selection menu and then under "Additional software for Selected Environment" select "Network Servers" and "Done"
3. Go to Security Profile and select any of the "CIS Red Hat Enterprise Linux 9 Benchmark" and then scroll down to see the error message.

workaround:
4. Go back to Software Selection and uncheck the "Network Servers" additional software.  Then view the security profile to view that the tftp error message is gone.

Actual results:
"package 'tftp' has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the install"

Expected results:
"package 'tftp' has been added to the list of excluded packages"
Comment 1 Jan Stodola 2023-02-22 15:21:40 UTC 
This looks like a possible oscap-anaconda-addon issue, reassigning the bug.
Comment 2 Matěj Týč 2023-02-27 12:25:57 UTC 
This is a manifestation of a conflict between the software selection and a hardening profile, and the addon handles this one gracefully - it informs the user before the installation starts, so they can react to this situation before the installation is started.
I can imagine an even more graceful handling of the situation by e.g. filtering the list of software selections if the hardening profile is known, or by offering to proceed with the installation while prioritizing the hardening requirements, or something like that. However, I would see such requirements as RFEs - I think that the current behavior is not a result of a bug or defect that can be fixed in a straightforward way.
Comment 3 jcastran 2023-02-27 13:40:55 UTC 
There is something of a problem though. tftp is not part of the group and is not installed when you install the Network Server group. In fact nothing is installed, since all the packages are optional.

> This shows no group name, thus not a group member

[root@r9 ~]# repoquery --groupmember tftp
tftp-5.2-35.el9.x86_64
tftp-5.2-37.el9.x86_64

> All packages are optional and thus nothing is actually installed unless a specific option is used. Even with that option used tftp is not pulled in. 

[root@r9 ~]# yum groupinfo "Network Servers"
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:54 ago on Mon 27 Feb 2023 09:39:52 AM EST.
Group: Network Servers
 Description: These packages include network-based servers such as DHCP, Kerberos and NIS.
 Optional Packages:
   dhcp-server
   dnsmasq
   freeradius
   frr
   idn2
   krb5-server
   libreswan
   radvd
   rsyslog-gnutls
   rsyslog-gssapi
   rsyslog-mysql
   rsyslog-pgsql
   rsyslog-relp
   syslinux
   tang


So the security profile excludes tftp, which is not about to be installed and is not a group member of anything selected.
Comment 4 Matěj Týč 2023-03-13 16:58:56 UTC 
I agree, the listing is not correct - the package is an optional part of the group on the latest RHEL8, and it is completely unrelated on RHEL9.
The installer therefore causes this false positive, that prevents users from installing the system in a straightforward way.
Comment 15 Jan Černý 2023-07-18 09:40:13 UTC 
A fix has been merged upstream by https://github.com/OpenSCAP/oscap-anaconda-addon/pull/248
Comment 16 Jan Stodola 2023-08-01 15:11:35 UTC 
The issue is fixed in oscap-anaconda-addon-2.0.0-17.el9.
The installer reports that "package 'tftp' has been added to the list of excluded packages" and it's possible to finish the installation. The tftp package doesn't get installed.

Marking as Verified:Tested

Jan Fiala, the doc text for this bug applies for RHEL-9.2 as a known issue, but since this will be fixed in RHEL-9.3, the doc text needs to be updated. Can you please take care of it?
Comment 22 Jan Stodola 2023-08-04 10:56:59 UTC 
Checked that oscap-anaconda-addon-2.0.0-17.el9 is in nightly compose RHEL-9.3.0-20230803.31
Automated tests completed without any regression.

Moving to VERIFIED
Comment 27 errata-xmlrpc 2023-11-07 08:36:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (oscap-anaconda-addon bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6531