1100367 – some default provisioning templates produces system with insecure settings

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1100367 - some default provisioning templates produces system with insecure settings

Summary: some default provisioning templates produces system with insecure settings

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Provisioning
Sub Component:
Version:	Nightly
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Dmitri Dolguikh
QA Contact:	Kedar Bidarkar
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:	1100582
TreeView+	depends on / blocked

Reported:	2014-05-22 16:41 UTC by Jan Hutař
Modified:	2019-09-26 14:32 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1100582 (view as bug list)
Environment:
Last Closed:	2014-07-02 14:04:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	5895	0	Normal	Closed	Kickstart provisioning template has iptables, auditd etc disabled	2020-12-18 01:34:45 UTC

Description Jan Hutař 2014-05-22 16:41:26 UTC

Description of problem:
Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; )


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140521.0


How reproducible:
always


Steps to Reproduce:
1. Provision guest with these provisioning templates (or just inspect them):
     Kickstart default
     Kickstart RHEL default
     Katello Kickstart Default for RHEL


Actual results:
Not all issues are found in all templates, but what I consider most important:
 * system is not registered automatically
 * SELinux in permissive
 * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped
 * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed


Expected results:
After installation, system should be registered by default.
SELinux should be in enforcing
At least ip*tables services should be running with sane configuration
Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)

Comment 3 Dominic Cleal 2014-05-23 07:07:51 UTC

1. System not registered: the "Katello Kickstart Default for RHEL" template should do register the host to Sat6/Katello automatically using the activation key specified on the host, if not, please file a separate BZ with a bit more information.

The other two Kickstart* templates are supplied by Foreman and can register hosts if configured correctly, but aren't intended to be used in Sat6.

2. SELinux in permissive: I've cloned this to bug #1100582 to be fixed in Katello.

3. Services disabled: we'll address that via this BZ in Foreman.

4. Default packages: I've mentioned this on bug #1100582 in case Katello wish to specifically exclude it, but otherwise this is dictated by comps in the OS itself.

Comment 4 Jan Hutař 2014-06-04 08:52:27 UTC

Thank you for response!

(In reply to Dominic Cleal from comment #3)
> 1. System not registered: the "Katello Kickstart Default for RHEL" template
> should do register the host to Sat6/Katello automatically using the
> activation key specified on the host, if not, please file a separate BZ with
> a bit more information.

Have to get mine setup back. Will test and report later.

> The other two Kickstart* templates are supplied by Foreman and can register
> hosts if configured correctly, but aren't intended to be used in Sat6.

I have reported bug 1104570 for this.

> 2. SELinux in permissive: I've cloned this to bug #1100582 to be fixed in
> Katello.

Thank you.

> 3. Services disabled: we'll address that via this BZ in Foreman.

OK.

> 4. Default packages: I've mentioned this on bug #1100582 in case Katello
> wish to specifically exclude it, but otherwise this is dictated by comps in
> the OS itself.

Once I have mine setup I'll either forgot about it or test it and create separate bugzilla.

Comment 5 Dominic Cleal 2014-06-06 13:01:18 UTC

This will need patching downstream against app/views/unattended/kickstart/, it's been merged to community-templates upstream.

Comment 8 Kedar Bidarkar 2014-06-23 11:08:18 UTC

verified with SNAP10


1) systems do get registered automatically
One requires the below parameters to be set for the Host.
a) kt_org as "<the desired org>
b) kt_activation_keys "<the ak to be registered with"
[root@xxxx ~]# yum repolist
Loaded plugins: product-id, subscription-manager
repo id                                                                                                repo name                                                                        status
ACME_Corporation_RHEL7_RHEL7_x86_64                                                                    RHEL7_x86_64                                                                     4,305
repolist: 4,305

2) SELinux is running in enforced mode.
[root@xxxx ~]# getenforce
Enforcing

3) Below are the services which are enabled 
[root@xxxx ~]# systemctl list-unit-files  | grep -i firewall
dbus-org.fedoraproject.FirewallD1.service   enabled 
firewalld.service                           enabled 
[root@xxxx ~]# systemctl list-unit-files  | grep -i auditd
auditd.service                              enabled 
[root@xxxx ~]# systemctl list-unit-files  | grep -ie restorecond -ie yum-updatesd

4) yum-rhn-plugin still exists 
[root@xxxx ~]# rpm -qav | grep -i yum-rhn-plugin
yum-rhn-plugin-2.0.1-4.el7.noarch

Comment 9 Kedar Bidarkar 2014-06-23 12:53:24 UTC

the above details are for RHEL7 provisioned machines,

the below output is from RHEL6 provisioned machines.

oot@dlink65 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
ACME_Corporation_RHEL6_RHEL65_x86_64                                                                                                                                   | 2.5 kB     00:00     
repo id                                                                                                repo name                                                                        status
ACME_Corporation_RHEL6_RHEL65_x86_64                                                                   RHEL65_x86_64                                                                    3,690
repolist: 3,690
[root@dlink65 ~]# getenforce
Enforcing
[root@dlink65 ~]# rpm -qav | grep -i rhn-plugin
yum-rhn-plugin-0.9.1-48.el6.noarch
[root@dlink65 ~]# chkconfig --list | grep -ie iptables -ie ip6tables -ie restorecon -ie auditd
auditd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
ip6tables      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
restorecond    	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[root@dlink65 ~]# chkconfig --list | grep -i yum-updatesd
[root@dlink65 ~]# 



NOTE:- For both RHEL6 and RHEL7 provisioning the template used was "Satellite Kickstart default for RHEL"

Comment 10 Bryan Kearney 2014-07-02 14:04:44 UTC

This was delivered with 6.0.3, which is the Satellite 6 Beta.

Note You need to log in before you can comment on or make changes to this bug.