Bug 1636847 – No SCAP security guide on Anaconda security policy page

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1636847 - No SCAP security guide on Anaconda security policy page

Summary:	No SCAP security guide on Anaconda security policy page

Status:	ASSIGNED

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	oscap-anaconda-addon (Show other bugs)
Sub Component:
Version:	7.6
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Matěj Týč
QA Contact:	Release Test Team
Docs Contact:	Sharon Moroney

URL:
Whiteboard:
Keywords:	Regression

Depends On:
Blocks:	ovirt-node-ng-43-platform
	Show dependency tree / graph

Reported:	2018-10-08 02:26 EDT by Sandro Bonazzola
Modified:	2018-10-31 21:38 EDT (History)
CC List:	14 users (show)

See Also:	1634239
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	The content location detection code is not working on Red Hat Virtualization Hosts Red Hat Virtualization Hosts cannot select the hardening profile from locally-installed content. To work around this problem, use the _oscap-anaconda-addon_ package to fetch the Red Hat Enterprise Linux datastream file from a URL. 1. Upload the `ssg-rhel7-ds.xml` datastream file from the Red Hat Enterprise Linux 7 _scap-security-guide_ package to your network so it can be discovered by Anaconda. To do so: a) Use Python to set up a web server in a directory that contains the `ssg-rhel7-ds.xml` datastream file and listens on port 8000. Example: python2 -m SimpleHTTPServer, or python3 -m http.server. or, b) Upload the `ssg-rhel7-ds.xml` datastream file to a HTTPS or FTP Server. 2. In the Security Policy window of Anaconda’s Graphical User Interface, click Change Content and enter the URL that points to the `ssg-rhel7-ds.xml` datastream file, for example: http://gateway:8000/ssg-rhel7-ds.xml or ftp://my-ftp-server/ssg-rhel7-ds.xml. The `ssg-rhel7-ds.xml` datastream file is now available and Red Hat Virtualization Hosts can select the hardening profile.
Story Points:	---
Clone Of:	1634239
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	Node
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sandro Bonazzola 2018-10-08 02:26:09 EDT

Cloned to RHEL 7.6 for tracking




+++ This bug was initially created as a clone of Bug #1634239 +++

Description of problem:
Install RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso, there is no SCAP security guide on Anaconda security policy page.
No such issue with RHEL 7.6

Version-Release number of selected component (if applicable):
RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso

How reproducible:
100%

Steps to Reproduce:
1.Install RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso, open SECURITY POLICY page on Anaconda

Actual results:
There is no SCAP security guide.

Expected results:
SCAP security guide should be present when the security policy page is opened.

Additional info:

--- Additional comment from Yuval Turgeman on 2018-10-07 07:43:13 EDT ---

Looks like oscap-anaconda-addon has changed to search for its content according to the productName - it used to search for:

"/usr/share/xml/scap/ssg/content/ssg-rhel%s-ds.xml" % productVersion... which expands to ssg-rhel7-ds.xml and is available from scap-security-guide.

and now it searches for:

"/usr/share/xml/scap/ssg/content/ssg-%s%s-ds.xml" % (productName, productVersion..")  which expands in RHVH to ssg-RHVH4-ds.xml and this doesn't exist in scap-security-guide.

Comment 2 Matěj Týč 2018-10-08 11:17:12 EDT

This corresponds to upstream issues
https://github.com/OpenSCAP/oscap-anaconda-addon/issues/80
and
https://github.com/OpenSCAP/oscap-anaconda-addon/issues/79

Comment 4 Matěj Týč 2018-10-24 07:29:58 EDT

Hello Sharon,

- datastream is a term defined in the SCAP standard. It is a XML file that a SCAP scanner s.a. oscap is able to consume. Datastreams contain definitions / checks for various security rules, and if one wants to install a RHEL7 system, one needs a RHEL7 datastream. Typically, the filename of that datastream is ssg-rhel7-ds.xml, as this is the name that we use in the scap-security-guide package and that file should have been selected.

- The button is in the oscap "Security Policy" spoke.

- Those URLs were examples, position of s.a. is incorrect, but it may be any of those URLs or none of them - it just depends on where the datastream ends up.

- By content I meant the datastream. The datastream typically contains several applicable security profiles.

Comment 6 Matěj Týč 2018-10-24 09:16:46 EDT

I would not omit those URL examples, as they may increase confidence about how those URLs should look like.
Next, I have realized that affected users may not be 100% certain concerning what a datastream is, so I would mention that they want to upload the ssh-rhel7-ds.xml file from the scap-security-guide package that is shipped in the corresponding version of RHEL7.

Comment 9 Matěj Týč 2018-10-25 09:58:29 EDT

Excuse me, I forgot to reply to you. I approve the last version, thank for your work!

Comment 12 Matěj Týč 2018-10-26 06:50:45 EDT

Hi Sharon, you are right - it is a package.

Note You need to log in before you can comment on or make changes to this bug.