Hello. The DoD has released the RHEL7 STIG, so this has now become an official requirement for US Government systems. This means every Satellite deployment to US DoD, or agencies that follow DoD guidance (e.g. System Integrators, like Booz and Lockheed) will now need special waivers to use Satellite. Has there been any conversations on if/when this functionality will be developed and released for Satellite?
Hello All, Scoots here. Is there any chance that we have been able to ascertain any information regarding this bug? Thank you in advance! Scoots
For your info, here is the direct stig requirement ##### SECTION 3 STIG requirement, CAT 1 (category 1) finding ############################# ### begin quoted text from current STIG Group ID (Vulid): V-71981 Group Title: SRG-OS-000366-GPOS-00153 Rule ID: SV-86605r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020070 Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. Vulnerability Discussion: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority. Check Content: Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the package metadata prior to install with the following command: # grep repo_gpgcheck /etc/yum.conf repo_gpgcheck=1 If "repo_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the metadata of local packages and other operating system components are verified. If there is no process to validate the metadata of packages that is approved by the organization, this is a finding. Fix Text: Configure the operating system to verify the repository metadata by setting the following options in the "/etc/yum.conf" file: repo_gpgcheck=1 CCI: CCI-001749 ### end quoted text from current stig ############################# We have a case ID for this (01853464)
sorry, ignore the line that says "section 3" in my previous post
I've seen an article someone wrote for a non-satellite yum repo where they used: gpg --detach-sign --armor repodata/repomd.xml Apparently this command will create a file named repodata/repomd.xml.asc which contains an ASCII version of the GPG signature of the repository metadata file repomd.xml. I'm highly reluctant to this run command for the affected complaints of the yum repos on on our satellite 6.2.9 servers because the impact could exceed the support we have from Red Hat. However, while that can be executed for a non-satellite repository, this doesn't mean it "should" be done for a satellite repository given the impact of the satellite being a supported product from Red Hat. However, maybe this is something that could be considered along with the other facets associated with resolving this.
Side note, for making this available for RHEL 7 in general (besides making it available for Satellite 6.2.current). Today we created/presented an EPEL 7 repo locally and attempted to use the [gpg --detach-sign --armor /the_path/repodata/repomd.xml] and it fails when FIPS is enabled. We found a solution id at https://access.redhat.com/solutions/2130631 however it basically says to wait until RHEL 7.4. I bring this up here even though this bugzilla is for satellite, it seems related if FIPS is considered in the solution ID https://access.redhat.com/solutions/2130631
sorry, what really failed (last post), was the creation of the gpg key on RHEL 7.3, see the solution ID in my last post, apologies for the multiple posts here.
Bump. Any movement on this? Setting needinfo from Dave Caplan (Satellite Product Mgmt). Dave - Not sure who to direct the roadmap/status question to. Can you help point in the right direction?
FYI someone has submitted code upstream to address this issue. https://github.com/pulp/pulp_rpm/pull/1065 I know the guy who submitted it and he works for a government customer that is affected by this issue, so any updates or status on this would be helpful.
Opened Support case for application to my environment https://access.redhat.com/support/cases/#/case/01961866 I thought this was a Satellite problem, as the repo_gpgcheck change was done by other tooling. I encourage this missing feature to be included in Satellite 6.3 if at all possible!
Update from Customer: This has been merged into upstream Pulp. Relevant commits are: https://github.com/pulp/pulp_rpm/commit/f73805f626d96596f9ae962ab6d787d2e001f02c https://github.com/pulp/pulp_rpm/commit/5393773e361ed548b72696652f338b76908429d0 https://github.com/pulp/pulp_rpm/commit/b3e2dd8bd8c43abb4144cc9d7a121fec5e5f5899 With the exception of the documentation changes (which can be excluded), these commits apply cleanly to the Pulp v2.8.7.18 that is used by Satellite v6.2.12. Any chance of getting these commits backported?
Some additional relevant changes: https://github.com/candlepin/subscription-manager/pull/1749 https://github.com/theforeman/puppet-certs/pull/188
The attached patches backport these changes to Satellite 6.12. To use them: On the Satellite server, run: sudo -s # Revert repo_gpgcheck.patch if it was previously applied yum reinstall pulp-rpm-plugins katello-installer-base rm -f /usr/share/katello-installer-base/modules/certs/manifests/repomd_gpg.pp # Apply repo_gpgcheck.patch cd / patch -p1 < ~/repo_gpgcheck.patch rm -f /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/configuration.pyc /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/configuration.pyo rm -f /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/metadata/repomd.pyc /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/metadata/repomd.pyo rm -f /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/publish.pyc /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/publish.pyo # Generate GPG key and build a new katello-ca-consumer RPM containing it satellite-installer --certs-enable-repomd-gpg=true --certs-repomd-gpg-name='satellite.example.com Repository Metadata Signing Key' # Sign existing repository metadata sudo -u apache -H -s cd /var/lib/pulp/published/yum/master/yum_distributor/ for d in `ls` ; do pushd $d ; for e in `ls` ; do pushd $e/repomd >/dev/null ; echo $d/$e ; gpg --yes --detach-sign --armor repomd.xml ; popd >/dev/null ; done ; popd >/dev/null ; done exit On each Satellite client, run: sudo -s # Revert repo_gpgcheck_client.patch if it was previously applied yum reinstall subscription-manager # Update /etc/rhsm/rhsm.conf perl -i -pe 's/baseurl= (.*)/baseurl = \1\n\n# Repository metadata GPG key URL:\nrepomd_gpg_url =/' /etc/rhsm/rhsm.conf # Apply repo_gpgcheck_client.patch cd / patch -p1 < ~/repo_gpgcheck_client.patch rm -f /usr/lib/python2.7/site-packages/subscription_manager/managercli.pyc /usr/lib/python2.7/site-packages/subscription_manager/managercli.pyo rm -f /usr/lib/python2.7/site-packages/subscription_manager/repolib.pyc /usr/lib/python2.7/site-packages/subscription_manager/repolib.pyo # Install the new katello-ca-consumer RPM rpm -Uvh http://example.satellite.com/pub/katello-ca-consumer-latest.noarch.rpm # Enable repo_gpgcheck echo repo_gpgcheck=1 >> /etc/yum.conf
Created attachment 1371684 [details] Backported for Satellite 6.12 servers
Created attachment 1371685 [details] Backported for Satellite 6.12 clients
Er, I meant 6.2.12, not 6.12
Created attachment 1377238 [details] Backported for Satellite 6.12 clients
This feature (once fully implemented) definitely needs documentation. Leaving notes for documentation and/or tests... `subscription-manager config --rhsm.repomd_gpg_url=${GPG_URL}` as well as setting repo_gpgcheck to 1/true in yum.conf is necessary to get this to have an effect (from the yum/subscription-manager part of things).
For anyone following along... These are the relevant client-side (subscription-manager) changes: https://github.com/candlepin/subscription-manager/commit/8236fefe942e4a32cb2c2565c63b15d3a9464855 https://github.com/candlepin/subscription-manager/commit/3cea0aa0963d87dd8f9c594330fc7167ad468330 These are the relevant server-side (pulp) changes: https://github.com/pulp/pulp_rpm/commit/f73805f626d96596f9ae962ab6d787d2e001f02c https://github.com/pulp/pulp_rpm/commit/5393773e361ed548b72696652f338b76908429d0 https://github.com/pulp/pulp_rpm/commit/b3e2dd8bd8c43abb4144cc9d7a121fec5e5f5899 Once the above changes make their way into a released version of Satellite, it will be possible to manually configure this functionality. I'm still working on automating the configuration and gpg key generation in satellite-installer: https://github.com/theforeman/puppet-pulp/commit/0829b2f50772fc095717e060dfb2e9c1a6952ec7 https://github.com/theforeman/puppet-certs/pull/188
Some additional pulp changes (these are not strictly required, but are relevant/related): https://github.com/pulp/pulp_rpm/commit/09ba819caa936a532a5f9d90c60baea9450a1431 https://github.com/pulp/pulp_rpm/commit/f351ff7240f8bf9b184f40a5e6896dd7e485a3a7 https://github.com/pulp/pulp_rpm/pull/1066 https://github.com/pulp/pulp_rpm/pull/1116 https://github.com/pulp/pulp_rpm/pull/1117 And I think I finally have the satellite-installer bits in fairly good shape now: https://github.com/Katello/katello-certs-tools/pull/3 https://github.com/theforeman/puppet-pulp/pull/321 https://github.com/theforeman/puppet-pulp/pull/322 https://github.com/theforeman/puppet-certs/pull/188 https://github.com/theforeman/puppet-foreman_proxy_content/pull/167 https://github.com/theforeman/puppet-katello/pull/245 https://github.com/theforeman/puppet-katello_devel/pull/160
Paul, appreciate the patches and will work to get these reviewed.
This may be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1531780 Documentation and katello integration w/ui changes are required in a addition to pulp changes implemented in https://pulp.plan.io/issues/3055
1531780 is a duplicate of this bug. Documentation and integration are implemented in the commits and PRs listed in comments 29 and 30 above.
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
*** Bug 1531780 has been marked as a duplicate of this bug. ***
Closed bug 1531870 as a duplicate of this one. That bug does denote additional changes that are needed; however, they may have been addressed above. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1531780#c12
Moving back to 'NEW', changes beyond pulp are required.
It looks like pulp-infra bot marked this BZ as POST improperly in comment #41 despite non-Pulp changes being required (comment #40). Changing back to NEW.
Hello all. Just checking in on any updates regarding this request. Thanks! Josh
Also curious on the status of this issue.
Status update: The server-side changes in pulp are in Satellite 6.5 and later, and the client-side changes in subscription-manager are in 1.21.1 and later. However, the server-side changes in satellite-installer still haven't been accepted upstream, and I haven't heard anything from the satellite-installer maintainers in over a year, so they seem to have forgotten about this. See https://github.com/theforeman/puppet-pulp/pull/322 and https://github.com/theforeman/puppet-certs/pull/188 for the most recent discussions about the satellite-installer changes. I haven't upgraded to Satellite 6.5 yet myself, but when I do that, I will try to remember to post updated instructions and an updated server-side patch for satellite-installer (similar to comment #17 above).
Manual setup instructions on Satellite 6.5: On the Satellite server, run: sudo -u apache -H -s # Generate GPG key gpg --gen-key # Use the default "RSA and RSA", "2048" bits, and "key does not expire" # values, and simply press "Enter" when prompted for a password. # "Repository Metadata Signing Key" is an appropriate real name. # Email address and comment can be left blank. gpg --armor --export --output /usr/share/httpd/.gnupg/repomd.gpg # Sign existing repository metadata cd /var/lib/pulp/published/yum/master/yum_distributor/ for d1 in * ; do ( cd $d1 ; for d2 in * ; do ( cd $d2/repomd ; echo $d1/$d2 ; gpg --yes --detach-sign --armor repomd.xml ) ; done ) ; done exit sudo -s # Configure Pulp grep gpg_sign_metadata /etc/pulp/server/plugins.conf.d/yum_importer.json \ || perl -i -0777 -pe 's/(max_speed.*?),?$/\1,\n\n "gpg_sign_metadata": false/m' /etc/pulp/server/plugins.conf.d/yum_importer.json exit Grab /usr/share/httpd/.gnupg/repomd.gpg from the Satellite server and deploy it to /etc/rhsm/ca/repomd.gpg on each Satellite client. On each Satellite client, run: sudo -s # Update /etc/rhsm/rhsm.conf grep '^\s*repomd_gpg_url' /etc/rhsm/rhsm.conf \ && perl -i -pe 's!repomd_gpg_url.*$!repomd_gpg_url = file:///etc/rhsm/ca/repomd.gpg!' grep '^\s*repomd_gpg_url' /etc/rhsm/rhsm.conf \ || perl -i -pe 's!baseurl= (.*)!baseurl = \1\n\n# Repository metadata GPG key URL:\nrepomd_gpg_url = file:///etc/rhsm/ca/repomd.gpg!' /etc/rhsm/rhsm.conf # Update /etc/yum.conf grep '^\s*repo_gpgcheck' /etc/yum.conf \ && perl -i -pe 's/repo_gpgcheck.*$/repo_gpgcheck=1/' grep '^\s*repo_gpgcheck' /etc/yum.conf \ || echo repo_gpgcheck=1 >> /etc/yum.conf exit Eventually (if my remaining pull requests are merged), `satellite-installer` will handle all of the Satellite server setup automatically, and the katello-ca-consumer RPM will handle repomd.gpg file deployment and rhsm.conf configuration automatically on Satellite clients, so the only manual configuration will be the repo_gpgcheck=1 setting in /etc/yum.conf.
Oops ... '"gpg_sign_metadata": false' should be '"gpg_sign_metadata": true'