Bug 1305782 - Support arbitrary configuration options for internal puppet classes in the installer
Support arbitrary configuration options for internal puppet classes in the in...
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.1.5
x86_64 Linux
unspecified Severity medium (vote)
: 6.2.8
: --
Assigned To: Stephen Benjamin
Lukas Pramuk
: Security, Triaged
: 1198115 1304022 1328300 1328367 1396535 1397718 1415139 1421636 1428016 (view as bug list)
Depends On:
Blocks: GSS_Sat6Beta_Tracker/GSS_Sat6_Tracker 1377060 1211642 1305938 1417085 1432305
  Show dependency treegraph
 
Reported: 2016-02-09 03:53 EST by Abel Lopez
Modified: 2018-01-17 13:16 EST (History)
29 users (show)

See Also:
Fixed In Version: foreman-installer-1.11.0.15-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1417085 (view as bug list)
Environment:
Last Closed: 2017-03-06 10:11:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 16207 None None None 2016-08-19 15:03 EDT

  None (edit)
Description Abel Lopez 2016-02-09 03:53:28 EST
Description of problem:
default install of satellite 6.1.5 has apache configured with TraceEnabled On
This causes generic security auditors to panic and raise red flags

Version-Release number of selected component (if applicable):
6.1.5

How reproducible:
Every time

Steps to Reproduce:
1. Install Satellite 6.1.5
2. Pay some security auditor to scan it
3.

Actual results:
Trace/Track enabled

Expected results:
Should be disabled

Additional info:
had to modify /etc/httpd/conf/httpd.conf
Comment 1 Kurt Seifried 2016-02-09 11:18:26 EST
This is Kurt from Product Security, just to let you know we're keeping an eye on this and I'll be talking to the Satellite 6 people about it. Thanks for reporting this!
Comment 2 Kurt Seifried 2016-02-09 13:04:03 EST
So restricting HTTP methods/verbs:

<Location "/">
   AllowMethods GET POST...
</Location>

This does not affect Trace, so we’ll also need:

TraceEnable Off
Comment 6 Bryan Kearney 2016-07-08 16:48:53 EDT
Per 6.3 planning, moving out non acked bugs to the backlog
Comment 9 Stephen Benjamin 2016-10-13 11:42:49 EDT
We have a few requests like this, and there may be other needs for custom apache settings.  I think the best approach would be allowing the customer to provide their own Hiera configruation for apache, like this one:

  https://github.com/theforeman/foreman-installer/blob/develop/config/foreman.hiera/RedHat.yaml

That way we can let them configure it in whatever way meets their security needs.
Comment 10 Stephen Benjamin 2016-10-13 11:43:37 EDT
*** Bug 1328300 has been marked as a duplicate of this bug. ***
Comment 12 Stephen Benjamin 2016-10-14 09:18:08 EDT
*** Bug 1328367 has been marked as a duplicate of this bug. ***
Comment 13 Stephen Benjamin 2016-10-14 09:20:13 EDT
*** Bug 1198115 has been marked as a duplicate of this bug. ***
Comment 14 Stephen Benjamin 2016-10-20 13:44:16 EDT
Opened a PR upstream with a proposal on how to solve this.

Satellite 6.3 installer allows the use of hiera, so you can now "reach" into puppet classes that are not exposed at the top of satellite-installer and configure those deeper settings.  The PR adds support for some custom hiera config.

However, a warning: we have to be careful here - there are many settings that users should NOT change, so it should be documented on a case-by-case basis.

The ones mentioned here and in the linked BZ's should be safe to change and in general the various security guides recommend settings we don't care about too much (turning trace off, server signature, etc).

If the PR is accepted, users would:

Create a YAML file on the Satellite server:

      /usr/share/foreman-installer/config/foreman.hiera/custom.yaml


With contents like this:

    ---
    apache::server_tokens: Prod
    apache::server_signature: Off
    apache::trace_enable: Off


This will configure the relevant apache settings.  Additional settings can be viewed in the code itself, or the apache module docs: https://forge.puppet.com/puppetlabs/apache

The names are usually fairly obvious.

After creating this file, re-run the installer and see Apache is configured accordingly:


[root@test-box foreman.hiera]# grep -r ServerSignature /etc/httpd
/etc/httpd/conf.d/15-default.conf:  ServerSignature Off
/etc/httpd/conf.d/03-crane.conf:  ServerSignature Off
/etc/httpd/conf.d/05-foreman.conf:  ServerSignature Off
/etc/httpd/conf.d/05-foreman-ssl.conf:  ServerSignature Off
/etc/httpd/conf/httpd.conf:ServerSignature Off

[root@test-box foreman.hiera]# grep -r ServerToken /etc/httpd
/etc/httpd/conf/httpd.conf:ServerTokens Prod

[root@test-box foreman.hiera]# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable Off
Comment 15 Bryan Kearney 2016-10-31 12:12:41 EDT
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16207 has been resolved.
Comment 16 Stephen Benjamin 2016-10-31 13:53:03 EDT
Upstream patch was accepted.  Steps are same as comment #14, except the path is more user-friendly:


  /etc/foreman-install/custom-hiera.yaml
Comment 17 Stephen Benjamin 2016-10-31 13:53:36 EDT
Sorry that's installer not install:


  /etc/foreman-installer/custom-hiera.yaml
Comment 18 Brad Buckingham 2016-11-15 14:21:37 EST
*** Bug 1394093 has been marked as a duplicate of this bug. ***
Comment 21 Stephen Benjamin 2016-11-18 12:05:51 EST
*** Bug 1396535 has been marked as a duplicate of this bug. ***
Comment 22 Stephen Benjamin 2016-11-18 12:07:19 EST
Just making the title clearer, since this works for anything (e.g. puppet) not just apache
Comment 23 Stephen Benjamin 2016-11-29 09:48:58 EST
*** Bug 1304022 has been marked as a duplicate of this bug. ***
Comment 24 Stephen Benjamin 2016-12-05 14:26:38 EST
*** Bug 1397718 has been marked as a duplicate of this bug. ***
Comment 25 Stephen Benjamin 2017-01-23 09:37:33 EST
*** Bug 1415139 has been marked as a duplicate of this bug. ***
Comment 26 Stephen Benjamin 2017-01-25 15:17:47 EST
QE: How To Verify This Bug


1. Edit the file /etc/foreman-installer/custom-hiera.conf to have this content:

---
apache::trace_enable: Off

2. Run satellite-installer

3. Confirm httpd config files have trace off

[root@test-box foreman.hiera]# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable Off
Comment 27 Stephen Benjamin 2017-02-16 09:43:18 EST
*** Bug 1421636 has been marked as a duplicate of this bug. ***
Comment 28 Lukas Pramuk 2017-02-23 17:33:12 EST
FailedQA.

@satellite-6.2.8-1.0.el7sat.noarch (snap3)
foreman-installer-1.11.0.15-2.el7sat.noarch

using reproducer in comment#26:

# cat /etc/foreman-installer/custom-hiera.conf
apache::trace_enable: Off

# satellite-installer -S satellite
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  * Satellite is running at https://<FQDN>
      Initial credentials are admin / ZMHdV5x3W3c6Y8KU
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable On

>>> custom param still has no effect
Comment 29 Lukas Pramuk 2017-02-23 17:50:24 EST
VERIFIED.

I noticed that reproducer in comment#26 is not correct: 
 custom-hiera.conf should be custom-hiera.yaml

# cat /etc/foreman-installer/custom-hiera.yaml
apache::trace_enable: Off

# satellite-installer -S satellite
...

# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable Off

>>> installer takes custom param into account
Comment 30 Bryan Kearney 2017-03-06 10:11:41 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0447
Comment 31 Stephen Benjamin 2017-03-24 16:44:08 EDT
*** Bug 1428016 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.