Bug 1465533 - oscap-anaconda-addon does not run smartcard_auth rule anaconda fix when using virt-install
oscap-anaconda-addon does not run smartcard_auth rule anaconda fix when using...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: oscap-anaconda-addon (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Martin Preisler
Depends On:
  Show dependency treegraph
Reported: 2017-06-27 10:59 EDT by Matus Marhefka
Modified: 2017-11-13 11:29 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matus Marhefka 2017-06-27 10:59:19 EDT
Description of problem:
When using virt-install for installation of RHEL-7.4 system with oscap-anaconda-addon and some compliance profile, the smartcard_auth rule (CCE-80207-4) anaconda fix is not performed. The fix should add packages "pam_pkcs11" and "esc" into the final kickstart file, but they are not added:

# cat /root/anaconda-ks.cfg
@^Server with GUI

When installing using virt-manager, the fix works as expected and /root/anaconda-ks.cfg contains the "pam_pkcs11" and "esc" packages.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
# yum install -y scap-security-guide
# export KICKSTART=/usr/share/scap-security-guide/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg
# qemu-img create -f qcow2 ./test 21G
# virt-install --initrd-inject=$KICKSTART --extra-args="ks=file:/$KICKSTART console=tty0 console=ttyS0,115200" --name=test --os-type linux --os-variant=rhel7 --disk path=./test,size=21,format=qcow2 --graphics none --ram 1024 --vcpus=1 --network bridge=virbr0 --location=http://download.eng.bos.redhat.com/rel-eng/RHEL-7.4-20170621.0/compose/Server/x86_64/os
After installation it is impossible to login as root user with the default password "server" as configured in the $KICKSTART.

Actual results:
smartcard_auth rule (CCE-80207-4) anaconda fix IS NOT performed.

Expected results:
smartcard_auth rule (CCE-80207-4) anaconda fix IS performed.
Comment 2 Matus Marhefka 2017-06-27 11:12:14 EDT
To be able to login to machine you can add %post section at the end of the $KICKSTART file:

useradd testuser
echo password | passwd --stdin testuser
echo "testuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
sed -i 's/^.*requiretty/#&/g' /etc/sudoers
echo 'Defaults !requiretty' >> /etc/sudoers

and then after installation:
# ssh testuser@VM_IP
with the password "password".

Note You need to log in before you can comment on or make changes to this bug.