Bug 1100367 - some default provisioning templates produces system with insecure settings
Summary: some default provisioning templates produces system with insecure settings
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Provisioning
Version: Nightly
Hardware: Unspecified
OS: Unspecified
high
medium vote
Target Milestone: Unspecified
Assignee: Dmitri Dolguikh
QA Contact: Kedar Bidarkar
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: 1100582
TreeView+ depends on / blocked
 
Reported: 2014-05-22 16:41 UTC by Jan Hutař
Modified: 2019-09-26 14:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1100582 (view as bug list)
Environment:
Last Closed: 2014-07-02 14:04:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 5895 0 Normal Closed Kickstart provisioning template has iptables, auditd etc disabled 2020-12-18 01:34:45 UTC

Description Jan Hutař 2014-05-22 16:41:26 UTC
Description of problem:
Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; )


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140521.0


How reproducible:
always


Steps to Reproduce:
1. Provision guest with these provisioning templates (or just inspect them):
     Kickstart default
     Kickstart RHEL default
     Katello Kickstart Default for RHEL


Actual results:
Not all issues are found in all templates, but what I consider most important:
 * system is not registered automatically
 * SELinux in permissive
 * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped
 * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed


Expected results:
After installation, system should be registered by default.
SELinux should be in enforcing
At least ip*tables services should be running with sane configuration
Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)

Comment 3 Dominic Cleal 2014-05-23 07:07:51 UTC
1. System not registered: the "Katello Kickstart Default for RHEL" template should do register the host to Sat6/Katello automatically using the activation key specified on the host, if not, please file a separate BZ with a bit more information.

The other two Kickstart* templates are supplied by Foreman and can register hosts if configured correctly, but aren't intended to be used in Sat6.

2. SELinux in permissive: I've cloned this to bug #1100582 to be fixed in Katello.

3. Services disabled: we'll address that via this BZ in Foreman.

4. Default packages: I've mentioned this on bug #1100582 in case Katello wish to specifically exclude it, but otherwise this is dictated by comps in the OS itself.

Comment 4 Jan Hutař 2014-06-04 08:52:27 UTC
Thank you for response!

(In reply to Dominic Cleal from comment #3)
> 1. System not registered: the "Katello Kickstart Default for RHEL" template
> should do register the host to Sat6/Katello automatically using the
> activation key specified on the host, if not, please file a separate BZ with
> a bit more information.

Have to get mine setup back. Will test and report later.

> The other two Kickstart* templates are supplied by Foreman and can register
> hosts if configured correctly, but aren't intended to be used in Sat6.

I have reported bug 1104570 for this.

> 2. SELinux in permissive: I've cloned this to bug #1100582 to be fixed in
> Katello.

Thank you.

> 3. Services disabled: we'll address that via this BZ in Foreman.

OK.

> 4. Default packages: I've mentioned this on bug #1100582 in case Katello
> wish to specifically exclude it, but otherwise this is dictated by comps in
> the OS itself.

Once I have mine setup I'll either forgot about it or test it and create separate bugzilla.

Comment 5 Dominic Cleal 2014-06-06 13:01:18 UTC
This will need patching downstream against app/views/unattended/kickstart/, it's been merged to community-templates upstream.

Comment 8 Kedar Bidarkar 2014-06-23 11:08:18 UTC
verified with SNAP10


1) systems do get registered automatically
One requires the below parameters to be set for the Host.
a) kt_org as "<the desired org>
b) kt_activation_keys "<the ak to be registered with"
[root@xxxx ~]# yum repolist
Loaded plugins: product-id, subscription-manager
repo id                                                                                                repo name                                                                        status
ACME_Corporation_RHEL7_RHEL7_x86_64                                                                    RHEL7_x86_64                                                                     4,305
repolist: 4,305

2) SELinux is running in enforced mode.
[root@xxxx ~]# getenforce
Enforcing

3) Below are the services which are enabled 
[root@xxxx ~]# systemctl list-unit-files  | grep -i firewall
dbus-org.fedoraproject.FirewallD1.service   enabled 
firewalld.service                           enabled 
[root@xxxx ~]# systemctl list-unit-files  | grep -i auditd
auditd.service                              enabled 
[root@xxxx ~]# systemctl list-unit-files  | grep -ie restorecond -ie yum-updatesd

4) yum-rhn-plugin still exists 
[root@xxxx ~]# rpm -qav | grep -i yum-rhn-plugin
yum-rhn-plugin-2.0.1-4.el7.noarch

Comment 9 Kedar Bidarkar 2014-06-23 12:53:24 UTC
the above details are for RHEL7 provisioned machines,

the below output is from RHEL6 provisioned machines.

oot@dlink65 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
ACME_Corporation_RHEL6_RHEL65_x86_64                                                                                                                                   | 2.5 kB     00:00     
repo id                                                                                                repo name                                                                        status
ACME_Corporation_RHEL6_RHEL65_x86_64                                                                   RHEL65_x86_64                                                                    3,690
repolist: 3,690
[root@dlink65 ~]# getenforce
Enforcing
[root@dlink65 ~]# rpm -qav | grep -i rhn-plugin
yum-rhn-plugin-0.9.1-48.el6.noarch
[root@dlink65 ~]# chkconfig --list | grep -ie iptables -ie ip6tables -ie restorecon -ie auditd
auditd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
ip6tables      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
restorecond    	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[root@dlink65 ~]# chkconfig --list | grep -i yum-updatesd
[root@dlink65 ~]# 



NOTE:- For both RHEL6 and RHEL7 provisioning the template used was "Satellite Kickstart default for RHEL"

Comment 10 Bryan Kearney 2014-07-02 14:04:44 UTC
This was delivered with 6.0.3, which is the Satellite 6 Beta.


Note You need to log in before you can comment on or make changes to this bug.