1636847 – No SCAP security guide on Anaconda security policy page

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1636847 - No SCAP security guide on Anaconda security policy page

Summary: No SCAP security guide on Anaconda security policy page

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	oscap-anaconda-addon
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Matěj Týč
QA Contact:	Release Test Team
Docs Contact:	Sharon Moroney
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-10-08 06:26 UTC by Sandro Bonazzola
Modified:	2020-03-12 12:31 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	The content location detection code is not working on Red Hat Virtualization Hosts Red Hat Virtualization Hosts cannot select the hardening profile from locally-installed content. To work around this problem, use the _oscap-anaconda-addon_ package to fetch the Red Hat Enterprise Linux datastream file from a URL. 1. Upload the `ssg-rhel7-ds.xml` datastream file from the Red Hat Enterprise Linux 7 _scap-security-guide_ package to your network so it can be discovered by Anaconda. To do so: a) Use Python to set up a web server in a directory that contains the `ssg-rhel7-ds.xml` datastream file and listens on port 8000. Example: python2 -m SimpleHTTPServer, or python3 -m http.server. or, b) Upload the `ssg-rhel7-ds.xml` datastream file to a HTTPS or FTP Server. 2. In the Security Policy window of Anaconda’s Graphical User Interface, click Change Content and enter the URL that points to the `ssg-rhel7-ds.xml` datastream file, for example: http://gateway:8000/ssg-rhel7-ds.xml or ftp://my-ftp-server/ssg-rhel7-ds.xml. The `ssg-rhel7-ds.xml` datastream file is now available and Red Hat Virtualization Hosts can select the hardening profile.
Clone Of:	1634239
Environment:
Last Closed:	2020-03-02 11:43:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1634239	0	unspecified	CLOSED	No SCAP security guide on Anaconda security policy page	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1654253	0	high	CLOSED	[RFE] STIG compliance for RHV-H	2021-02-22 00:41:40 UTC

Internal Links: 1634239 1654253

Description Sandro Bonazzola 2018-10-08 06:26:09 UTC

Cloned to RHEL 7.6 for tracking




+++ This bug was initially created as a clone of Bug #1634239 +++

Description of problem:
Install RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso, there is no SCAP security guide on Anaconda security policy page.
No such issue with RHEL 7.6

Version-Release number of selected component (if applicable):
RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso

How reproducible:
100%

Steps to Reproduce:
1.Install RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso, open SECURITY POLICY page on Anaconda

Actual results:
There is no SCAP security guide.

Expected results:
SCAP security guide should be present when the security policy page is opened.

Additional info:

--- Additional comment from Yuval Turgeman on 2018-10-07 07:43:13 EDT ---

Looks like oscap-anaconda-addon has changed to search for its content according to the productName - it used to search for:

"/usr/share/xml/scap/ssg/content/ssg-rhel%s-ds.xml" % productVersion... which expands to ssg-rhel7-ds.xml and is available from scap-security-guide.

and now it searches for:

"/usr/share/xml/scap/ssg/content/ssg-%s%s-ds.xml" % (productName, productVersion..")  which expands in RHVH to ssg-RHVH4-ds.xml and this doesn't exist in scap-security-guide.

Comment 2 Matěj Týč 2018-10-08 15:17:12 UTC

This corresponds to upstream issues
https://github.com/OpenSCAP/oscap-anaconda-addon/issues/80
and
https://github.com/OpenSCAP/oscap-anaconda-addon/issues/79

Comment 4 Matěj Týč 2018-10-24 11:29:58 UTC

Hello Sharon,

- datastream is a term defined in the SCAP standard. It is a XML file that a SCAP scanner s.a. oscap is able to consume. Datastreams contain definitions / checks for various security rules, and if one wants to install a RHEL7 system, one needs a RHEL7 datastream. Typically, the filename of that datastream is ssg-rhel7-ds.xml, as this is the name that we use in the scap-security-guide package and that file should have been selected.

- The button is in the oscap "Security Policy" spoke.

- Those URLs were examples, position of s.a. is incorrect, but it may be any of those URLs or none of them - it just depends on where the datastream ends up.

- By content I meant the datastream. The datastream typically contains several applicable security profiles.

Comment 6 Matěj Týč 2018-10-24 13:16:46 UTC

I would not omit those URL examples, as they may increase confidence about how those URLs should look like.
Next, I have realized that affected users may not be 100% certain concerning what a datastream is, so I would mention that they want to upload the ssh-rhel7-ds.xml file from the scap-security-guide package that is shipped in the corresponding version of RHEL7.

Comment 9 Matěj Týč 2018-10-25 13:58:29 UTC

Excuse me, I forgot to reply to you. I approve the last version, thank for your work!

Comment 12 Matěj Týč 2018-10-26 10:50:45 UTC

Hi Sharon, you are right - it is a package.

Note You need to log in before you can comment on or make changes to this bug.