Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1461330

Summary: package pam_pkcs11 is not installed by anaconda hardening
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: chartwel, jcerny, kenyon, lmiksik, mgrepl, mhaicman, mmarhefk, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.33-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1566804 (view as bug list) Environment:
Last Closed: 2017-08-01 12:24:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2017-06-14 08:52:36 UTC 
Description of problem:
SCAP Security Guide can be used for installation of hardened system, selected in anaconda configuration screen. Output of this should be system prepared for use.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.33-4.el7.noarch

How reproducible:
reliable

Steps to Reproduce:
1. install machine using example ospp kickstart shipped with SSG
2. fail to log in (Login incorrect immediately after providing user name)
3. install machine using example ospp_kickstart, adding pam_pkcs11 and esc packages
4. be able to log in as admin user

Actual results:
pam_pkcs11 is not installed by anaconda

Expected results:
pam_pkcs11 is installed by anaconda and admin user can be logged in

Additional info:
Anaconda remediation for is missing for xccdf_org.ssgproject.content_rule_smartcard_auth
Comment 1 Marek Haicman 2017-06-14 09:18:32 UTC 
Additional info:
Profiles affected by this issue:
- PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
- DISA STIG for Red Hat Enterprise Linux 7
- STIG for Red Hat Virtualization Hypervisor
- United States Government Configuration Baseline (USGCB / STIG) - DRAFT
- Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Comment 2 Jan Černý 2017-06-14 15:39:18 UTC 
The bug was fixed upstream in https://github.com/OpenSCAP/scap-security-guide/pull/2083
Comment 4 Marek Haicman 2017-06-15 13:45:49 UTC 
Verified manually on version scap-security-guide-0.1.33-5.el7, that anaconda kickstart is successfully updated to contain aide package. I was able to log in as an admin user defined during installation.

Anaconda kickstart:
%packages
@^minimal
@core
aide
chrony
dracut-fips
esc
kexec-tools
openscap
openscap-scanner
pam_pkcs11
screen
-rsh
-rsh-server
-talk
-talk-server
-telnet
-telnet-server
-xinetd
-ypbind
-ypserv

%end

Note: Profile selected in anaconda was xccdf_org.ssgproject.content_profile_nist-800-171-cui
Comment 5 Marek Haicman 2017-06-15 13:47:44 UTC 
Note a copy paste error in Comment 4, the important packages to be included were "pam_pkcs11" and "esc". Not aide.
Comment 6 errata-xmlrpc 2017-08-01 12:24:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064
Comment 7 Watson Yuuma Sato 2017-11-16 15:34:16 UTC 
*** Bug 1404842 has been marked as a duplicate of this bug. ***
Comment 8 Kenyon Ralph 2018-04-13 02:04:44 UTC 
This is still not fixed in RHEL 7.5. The pam_pkcs11 is not being installed by the stig-rhel7-disa OSCAP profile.
Comment 9 Watson Yuuma Sato 2018-04-13 13:31:53 UTC 
Hello Kenyon,

Are you using the text based installation?
oscap-anaconda-addon fails to install packages when on TUI mode, see https://bugzilla.redhat.com/show_bug.cgi?id=1547609.

If not using TUI, could you check if using full ID of Profile resolves your issue? 

profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
Comment 10 Kenyon Ralph 2018-04-13 17:43:06 UTC 
(In reply to Watson Yuuma Sato from comment #9)
> Hello Kenyon,
> 
> Are you using the text based installation?
> oscap-anaconda-addon fails to install packages when on TUI mode, see
> https://bugzilla.redhat.com/show_bug.cgi?id=1547609.
> 
> If not using TUI, could you check if using full ID of Profile resolves your
> issue? 
> 
> profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa

Yes, I am using the text installation mode. Thanks.
Comment 11 Kenyon Ralph 2018-04-13 19:00:13 UTC 
(In reply to Kenyon Ralph from comment #10)
> (In reply to Watson Yuuma Sato from comment #9)
> > Hello Kenyon,
> > 
> > Are you using the text based installation?
> > oscap-anaconda-addon fails to install packages when on TUI mode, see
> > https://bugzilla.redhat.com/show_bug.cgi?id=1547609.
> > 
> > If not using TUI, could you check if using full ID of Profile resolves your
> > issue? 
> > 
> > profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
> 
> Yes, I am using the text installation mode. Thanks.

With graphical anaconda, with profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa, it says "misconfiguration detected" under Security Policy. With profile = stig-rhel7-disa, it says "error fetching and loading content". So this must be yet another bug.
Comment 12 Matus Marhefka 2018-04-16 08:51:26 UTC 
Hello Kenyon,

I think this "misconfiguration detected" error might be related to partitioning of the disk. I believe that DISA STIG profile requires you to have at least /home partition separately.
Comment 13 Watson Yuuma Sato 2018-04-16 09:01:22 UTC 
And regarding "error fetching and loading content", I have filed https://bugzilla.redhat.com/show_bug.cgi?id=1567151.

A quick test with full profile ID of ospp-rhel7 worked. So error "misconfiguration detected" is very likely related to configuration of partitions.
As oscap-anaconda-addon cannot setup the partitions, only check them, your kickstart file should configure the partitions with "part" or "partitions" option.