Bug 1392681 - SCAP Security Guide remediation fail - CCE-80258-7 - Disable KDump Kernel Crash Analyzer (kdump)
Summary: SCAP Security Guide remediation fail - CCE-80258-7 - Disable KDump Kernel Cra...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Marek Haicman
URL:
Whiteboard:
Depends On: 1564903
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-08 02:25 UTC by Shawn Wells
Modified: 2018-10-30 11:47 UTC (History)
4 users (show)

Fixed In Version: scap-security-guide-0.1.40-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 11:46:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Anaconda oscap and kdump addon logs (1.04 KB, text/plain)
2017-04-11 16:05 UTC, Watson Yuuma Sato 		no flags Details
failed anaconda hardening run (1.66 MB, text/html)
2018-08-27 15:22 UTC, Marek Haicman 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github https://github.com/OpenSCAP scap-security-guide issues 1547 0 None None None 2016-11-08 03:45:41 UTC
Red Hat Product Errata RHBA-2018:3308 0 None None None 2018-10-30 11:47:23 UTC

Description Shawn Wells 2016-11-08 02:25:16 UTC 
When installing RHEL 7.3 using SCAP security profile, "CCE-80258-7 - Disable KDump Kernel Crash Analyzer (kdump)" fails to take effect.
Comment 1 Shawn Wells 2016-11-08 03:45:42 UTC 
upstream BZ https://github.com/OpenSCAP/scap-security-guide/issues/1547
Comment 3 redhatrises 2016-11-08 14:34:46 UTC 
Shawn,

Since you were testing this with anaconda, is this because kdump is configured/enabled/disabled on firstboot?
Comment 4 Watson Yuuma Sato 2017-04-11 12:23:54 UTC 
To be able to disable services through anaconda remediation we need add support for 'service' fix element in oscap-anaconda-addon.
Comment 5 Watson Yuuma Sato 2017-04-11 13:02:55 UTC 
There is also another approach using an Anaconda addon (com_redhat_kdump) that can disable kdump, but oscap-anaconda-addon doesn't support this fix element too.
Comment 6 redhatrises 2017-04-11 13:17:26 UTC 
I say that we should add both 'service' and 'com_redhat_kdump' to the oscap-anaconda-addon to better support kickstart builds.
Comment 7 Watson Yuuma Sato 2017-04-11 16:05:37 UTC 
Created attachment 1270865 [details]
Anaconda oscap and kdump addon logs
Comment 8 Watson Yuuma Sato 2017-04-11 16:07:59 UTC 
Although there is no anaconda remediation, I did not understand why the post-install evaluation and remediation would not fix it, if there is script remediation for this.

After some investigation I found out that com_redhat_kdump addon runs right after oscap-anaconda-addon and applies its configuration, and default configuration is kdump enabled. See attached log snippet from anaconda.
Comment 9 Watson Yuuma Sato 2018-06-07 08:25:48 UTC 
With latest version of oscap-anaconda-addon (0.9), and following patches to SSG, we can disable kdump at install time.

https://github.com/OpenSCAP/scap-security-guide/pull/2764
https://github.com/OpenSCAP/scap-security-guide/pull/2827
Comment 11 Marek Haicman 2018-08-27 15:22:39 UTC 
Created attachment 1478985 [details]
failed anaconda hardening run

Hi, it looks like this is still somehow buggy - the anaconda has been properly informed to disable kdump (the spoke has updated to kdump disable by profile selection).
Comment 12 Marek Haicman 2018-09-16 21:27:04 UTC 
My finding in Comment 11 was manifestation of Bug 1629490. Kdump is truly disabled by the profile after reboot of the machine in version scap-security-guide-0.1.40-5.el7.

Verified manually.
Comment 14 errata-xmlrpc 2018-10-30 11:46:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308
Note You need to log in before you can comment on or make changes to this bug.