Bug 1465533 - oscap-anaconda-addon does not run smartcard_auth rule anaconda fix when using virt-install
oscap-anaconda-addon does not run smartcard_auth rule anaconda fix when using...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: oscap-anaconda-addon (Show other bugs)
7.4
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Martin Preisler
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-27 10:59 EDT by Matus Marhefka
Modified: 2017-06-28 21:20 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matus Marhefka 2017-06-27 10:59:19 EDT
Description of problem:
When using virt-install for installation of RHEL-7.4 system with oscap-anaconda-addon and some compliance profile, the smartcard_auth rule (CCE-80207-4) anaconda fix is not performed. The fix should add packages "pam_pkcs11" and "esc" into the final kickstart file, but they are not added:

# cat /root/anaconda-ks.cfg
...
%packages
@^Server with GUI
@base
@core
@desktop-debugging
@dial-up
@fonts
@gnome-desktop
@guest-agents
@guest-desktop-agents
@hardware-monitoring
@input-methods
@internet-browser
@multimedia
@print-client
@x11
aide
chrony
kexec-tools
libreswan
openscap
openscap-scanner
scap-security-guide
...

When installing using virt-manager, the fix works as expected and /root/anaconda-ks.cfg contains the "pam_pkcs11" and "esc" packages.


Version-Release number of selected component (if applicable):
oscap-anaconda-addon-0.7-15.el7
scap-security-guide-0.1.33-5.el7.noarch


How reproducible:
always


Steps to Reproduce:
# yum install -y scap-security-guide
# export KICKSTART=/usr/share/scap-security-guide/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg
# qemu-img create -f qcow2 ./test 21G
# virt-install --initrd-inject=$KICKSTART --extra-args="ks=file:/$KICKSTART console=tty0 console=ttyS0,115200" --name=test --os-type linux --os-variant=rhel7 --disk path=./test,size=21,format=qcow2 --graphics none --ram 1024 --vcpus=1 --network bridge=virbr0 --location=http://download.eng.bos.redhat.com/rel-eng/RHEL-7.4-20170621.0/compose/Server/x86_64/os
After installation it is impossible to login as root user with the default password "server" as configured in the $KICKSTART.


Actual results:
smartcard_auth rule (CCE-80207-4) anaconda fix IS NOT performed.

Expected results:
smartcard_auth rule (CCE-80207-4) anaconda fix IS performed.
Comment 2 Matus Marhefka 2017-06-27 11:12:14 EDT
To be able to login to machine you can add %post section at the end of the $KICKSTART file:

%post
useradd testuser
echo password | passwd --stdin testuser
echo "testuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
sed -i 's/^.*requiretty/#&/g' /etc/sudoers
echo 'Defaults !requiretty' >> /etc/sudoers
%end

and then after installation:
# ssh testuser@VM_IP
with the password "password".

Note You need to log in before you can comment on or make changes to this bug.