Bug 1305782 - Support arbitrary configuration options for internal puppet classes in the installer
Summary: Support arbitrary configuration options for internal puppet classes in the in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.1.5
Hardware: x86_64
OS: Linux
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Stephen Benjamin
QA Contact: Lukas Pramuk
URL:
Whiteboard:
: 1198115 1304022 1328300 1328367 1396535 1397718 1415139 1421636 1428016 (view as bug list)
Depends On:
Blocks: GSS_Sat6Beta_Tracker, GSS_Sat6_Tracker 1211642 1305938 1377060 1417085 1432305
TreeView+ depends on / blocked
 
Reported: 2016-02-09 08:53 UTC by Abel Lopez
Modified: 2021-09-09 11:46 UTC (History)
29 users (show)

Fixed In Version: foreman-installer-1.11.0.15-2
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1417085 (view as bug list)
Environment:
Last Closed: 2017-03-06 15:11:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 16207 0 Normal Closed Allow users to provide custom hiera configuration 2021-01-14 16:00:13 UTC

Description Abel Lopez 2016-02-09 08:53:28 UTC
Description of problem:
default install of satellite 6.1.5 has apache configured with TraceEnabled On
This causes generic security auditors to panic and raise red flags

Version-Release number of selected component (if applicable):
6.1.5

How reproducible:
Every time

Steps to Reproduce:
1. Install Satellite 6.1.5
2. Pay some security auditor to scan it
3.

Actual results:
Trace/Track enabled

Expected results:
Should be disabled

Additional info:
had to modify /etc/httpd/conf/httpd.conf

Comment 1 Kurt Seifried 2016-02-09 16:18:26 UTC
This is Kurt from Product Security, just to let you know we're keeping an eye on this and I'll be talking to the Satellite 6 people about it. Thanks for reporting this!

Comment 2 Kurt Seifried 2016-02-09 18:04:03 UTC
So restricting HTTP methods/verbs:

<Location "/">
   AllowMethods GET POST...
</Location>

This does not affect Trace, so we’ll also need:

TraceEnable Off

Comment 6 Bryan Kearney 2016-07-08 20:48:53 UTC
Per 6.3 planning, moving out non acked bugs to the backlog

Comment 9 Stephen Benjamin 2016-10-13 15:42:49 UTC
We have a few requests like this, and there may be other needs for custom apache settings.  I think the best approach would be allowing the customer to provide their own Hiera configruation for apache, like this one:

  https://github.com/theforeman/foreman-installer/blob/develop/config/foreman.hiera/RedHat.yaml

That way we can let them configure it in whatever way meets their security needs.

Comment 10 Stephen Benjamin 2016-10-13 15:43:37 UTC
*** Bug 1328300 has been marked as a duplicate of this bug. ***

Comment 12 Stephen Benjamin 2016-10-14 13:18:08 UTC
*** Bug 1328367 has been marked as a duplicate of this bug. ***

Comment 13 Stephen Benjamin 2016-10-14 13:20:13 UTC
*** Bug 1198115 has been marked as a duplicate of this bug. ***

Comment 14 Stephen Benjamin 2016-10-20 17:44:16 UTC
Opened a PR upstream with a proposal on how to solve this.

Satellite 6.3 installer allows the use of hiera, so you can now "reach" into puppet classes that are not exposed at the top of satellite-installer and configure those deeper settings.  The PR adds support for some custom hiera config.

However, a warning: we have to be careful here - there are many settings that users should NOT change, so it should be documented on a case-by-case basis.

The ones mentioned here and in the linked BZ's should be safe to change and in general the various security guides recommend settings we don't care about too much (turning trace off, server signature, etc).

If the PR is accepted, users would:

Create a YAML file on the Satellite server:

      /usr/share/foreman-installer/config/foreman.hiera/custom.yaml


With contents like this:

    ---
    apache::server_tokens: Prod
    apache::server_signature: Off
    apache::trace_enable: Off


This will configure the relevant apache settings.  Additional settings can be viewed in the code itself, or the apache module docs: https://forge.puppet.com/puppetlabs/apache

The names are usually fairly obvious.

After creating this file, re-run the installer and see Apache is configured accordingly:


[root@test-box foreman.hiera]# grep -r ServerSignature /etc/httpd
/etc/httpd/conf.d/15-default.conf:  ServerSignature Off
/etc/httpd/conf.d/03-crane.conf:  ServerSignature Off
/etc/httpd/conf.d/05-foreman.conf:  ServerSignature Off
/etc/httpd/conf.d/05-foreman-ssl.conf:  ServerSignature Off
/etc/httpd/conf/httpd.conf:ServerSignature Off

[root@test-box foreman.hiera]# grep -r ServerToken /etc/httpd
/etc/httpd/conf/httpd.conf:ServerTokens Prod

[root@test-box foreman.hiera]# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable Off

Comment 15 Bryan Kearney 2016-10-31 16:12:41 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16207 has been resolved.

Comment 16 Stephen Benjamin 2016-10-31 17:53:03 UTC
Upstream patch was accepted.  Steps are same as comment #14, except the path is more user-friendly:


  /etc/foreman-install/custom-hiera.yaml

Comment 17 Stephen Benjamin 2016-10-31 17:53:36 UTC
Sorry that's installer not install:


  /etc/foreman-installer/custom-hiera.yaml

Comment 18 Brad Buckingham 2016-11-15 19:21:37 UTC
*** Bug 1394093 has been marked as a duplicate of this bug. ***

Comment 21 Stephen Benjamin 2016-11-18 17:05:51 UTC
*** Bug 1396535 has been marked as a duplicate of this bug. ***

Comment 22 Stephen Benjamin 2016-11-18 17:07:19 UTC
Just making the title clearer, since this works for anything (e.g. puppet) not just apache

Comment 23 Stephen Benjamin 2016-11-29 14:48:58 UTC
*** Bug 1304022 has been marked as a duplicate of this bug. ***

Comment 24 Stephen Benjamin 2016-12-05 19:26:38 UTC
*** Bug 1397718 has been marked as a duplicate of this bug. ***

Comment 25 Stephen Benjamin 2017-01-23 14:37:33 UTC
*** Bug 1415139 has been marked as a duplicate of this bug. ***

Comment 26 Stephen Benjamin 2017-01-25 20:17:47 UTC
QE: How To Verify This Bug


1. Edit the file /etc/foreman-installer/custom-hiera.conf to have this content:

---
apache::trace_enable: Off

2. Run satellite-installer

3. Confirm httpd config files have trace off

[root@test-box foreman.hiera]# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable Off

Comment 27 Stephen Benjamin 2017-02-16 14:43:18 UTC
*** Bug 1421636 has been marked as a duplicate of this bug. ***

Comment 28 Lukas Pramuk 2017-02-23 22:33:12 UTC
FailedQA.

@satellite-6.2.8-1.0.el7sat.noarch (snap3)
foreman-installer-1.11.0.15-2.el7sat.noarch

using reproducer in comment#26:

# cat /etc/foreman-installer/custom-hiera.conf
apache::trace_enable: Off

# satellite-installer -S satellite
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  * Satellite is running at https://<FQDN>
      Initial credentials are admin / ZMHdV5x3W3c6Y8KU
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable On

>>> custom param still has no effect

Comment 29 Lukas Pramuk 2017-02-23 22:50:24 UTC
VERIFIED.

I noticed that reproducer in comment#26 is not correct: 
 custom-hiera.conf should be custom-hiera.yaml

# cat /etc/foreman-installer/custom-hiera.yaml
apache::trace_enable: Off

# satellite-installer -S satellite
...

# grep -r Trace /etc/httpd
/etc/httpd/conf/httpd.conf:TraceEnable Off

>>> installer takes custom param into account

Comment 30 Bryan Kearney 2017-03-06 15:11:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0447

Comment 31 Stephen Benjamin 2017-03-24 20:44:08 UTC
*** Bug 1428016 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.