Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1489762 - [RFE] Provide certification for satellite compliance with common security standards.
Summary: [RFE] Provide certification for satellite compliance with common security sta...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Security
Version: 6.2.11
Hardware: All
OS: Linux
unspecified
low with 4 votes
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Mirek Długosz
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-08 10:16 UTC by Matthew York
Modified: 2023-03-24 13:51 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-22 17:55:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2799971 0 Install None Is it supported to install Red Hat Satellite 6 or Red Hat Satellite Capsule 6 on a FIPS compliant system? 2019-03-05 22:46:37 UTC

Description Matthew York 2017-09-08 10:16:06 UTC 
RFE as requested by one of our potential customers.

Description of problem:
Although satellite provides openscap to help ensure that managed nodes are in compliance with PCI-DSS / STIG and many other standards, it would be really nice if we could get compliance certification for Satellite itself.

We do this for other products, and I think it would be really beneficial for satellite to have the same certifications.

Ideally, PCI-DSS would be the first, possibly CIS and STIG.

Version-Release number of selected component (if applicable):
Currently missing in 6.0.x, 6.1.x and 6.2.x. Would be great if we could get this in 6.3.x

The list of government certifications for all products is here.

https://access.redhat.com/articles/2918071
Comment 6 Kevin K. 2018-08-30 18:27:01 UTC 
This is biting us at the moment. Does anyone know which particular STIG is actually causing this failure? We have ability to apply for exceptions to particular STIGs, but need to know which one to disable or change in order to do so. So I don't see this as an all or nothing issue.
Comment 7 Kevin K. 2018-08-31 13:42:33 UTC 
For this particular issue it appears to be an SELinux denial. Because one of the STIG requirements is `SELINUX=enforcing`, while `satellite-installer` is running, it appears several files get created for `qpidd` which don't have the correct context.

```
# ausearch -m avc -c qpidd
type=PROCTITLE msg=audit(1535719817.865:2658): proctitle=2F7573722F7362696E2F7170696464002D2D636F6E666967002F6574632F717069642F71706964642E636F6E66
type=SYSCALL msg=audit(1535719817.865:2658): arch=c000003e syscall=4 success=no exit=-13 a0=7ffc3a4deba0 a1=7ffc3a4deb10 a2=7ffc3a4deb10 a3=2 items=0 ppid=1 pid=2821 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1535719817.865:2658): avc:  denied  { getattr } for  pid=2821 comm="qpidd" path="/var/lib/qpidd/.qpidd/qls/dat2/__db.001" dev="dm-5" ino=16954472 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
```

Notice `/var/lib/qpidd/.qpidd/qls/dat2/__db.001` has `unlabled_t`

A simple `restorecon` fixes it

```
# restorecon -R /var/lib/qpidd
```
Comment 12 Akshay Kapse 2019-01-23 10:45:31 UTC 
Red Hat Satellite version 6.4

# foreman_scap_client 1
File /var/lib/openscap/content/5dfe17df3f6578650ef24813ec433c96e68513235768ee9055466bd97a84bcec.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://satellite.example.com:9090/compliance/policies/1/content/5dfe17df3f6578650ef24813ec433c96e68513235768ee9055466bd97a84bcec
SCAP content is missing and download failed with error: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca
Comment 16 Bryan Kearney 2019-11-22 17:55:52 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.
Comment 17 Bryan Kearney 2019-11-22 17:55:58 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.
Note You need to log in before you can comment on or make changes to this bug.