Bug 1636847 - No SCAP security guide on Anaconda security policy page
Summary: No SCAP security guide on Anaconda security policy page
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: oscap-anaconda-addon
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Matěj Týč
QA Contact: Release Test Team
Sharon Moroney
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-08 06:26 UTC by Sandro Bonazzola
Modified: 2019-03-20 15:20 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
The content location detection code is not working on Red Hat Virtualization Hosts Red Hat Virtualization Hosts cannot select the hardening profile from locally-installed content. To work around this problem, use the _oscap-anaconda-addon_ package to fetch the Red Hat Enterprise Linux datastream file from a URL. 1. Upload the `ssg-rhel7-ds.xml` datastream file from the Red Hat Enterprise Linux 7 _scap-security-guide_ package to your network so it can be discovered by Anaconda. To do so: a) Use Python to set up a web server in a directory that contains the `ssg-rhel7-ds.xml` datastream file and listens on port 8000. Example: python2 -m SimpleHTTPServer, or python3 -m http.server. or, b) Upload the `ssg-rhel7-ds.xml` datastream file to a HTTPS or FTP Server. 2. In the *Security Policy* window of Anaconda’s Graphical User Interface, click *Change Content* and enter the URL that points to the `ssg-rhel7-ds.xml` datastream file, for example: http://gateway:8000/ssg-rhel7-ds.xml or ftp://my-ftp-server/ssg-rhel7-ds.xml. The `ssg-rhel7-ds.xml` datastream file is now available and Red Hat Virtualization Hosts can select the hardening profile.
Clone Of: 1634239
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1634239 None CLOSED No SCAP security guide on Anaconda security policy page 2019-08-13 14:11:49 UTC
Red Hat Bugzilla 1654253 None CLOSED [RFE] STIG compliance for RHV-H 2019-08-13 14:11:49 UTC

Internal Links: 1634239 1654253

Description Sandro Bonazzola 2018-10-08 06:26:09 UTC
Cloned to RHEL 7.6 for tracking




+++ This bug was initially created as a clone of Bug #1634239 +++

Description of problem:
Install RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso, there is no SCAP security guide on Anaconda security policy page.
No such issue with RHEL 7.6

Version-Release number of selected component (if applicable):
RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso

How reproducible:
100%

Steps to Reproduce:
1.Install RHVH-4.2-20180919.3-RHVH-x86_64-dvd1.iso, open SECURITY POLICY page on Anaconda

Actual results:
There is no SCAP security guide.

Expected results:
SCAP security guide should be present when the security policy page is opened.

Additional info:

--- Additional comment from Yuval Turgeman on 2018-10-07 07:43:13 EDT ---

Looks like oscap-anaconda-addon has changed to search for its content according to the productName - it used to search for:

"/usr/share/xml/scap/ssg/content/ssg-rhel%s-ds.xml" % productVersion... which expands to ssg-rhel7-ds.xml and is available from scap-security-guide.

and now it searches for:

"/usr/share/xml/scap/ssg/content/ssg-%s%s-ds.xml" % (productName, productVersion..")  which expands in RHVH to ssg-RHVH4-ds.xml and this doesn't exist in scap-security-guide.

Comment 4 Matěj Týč 2018-10-24 11:29:58 UTC
Hello Sharon,

- datastream is a term defined in the SCAP standard. It is a XML file that a SCAP scanner s.a. oscap is able to consume. Datastreams contain definitions / checks for various security rules, and if one wants to install a RHEL7 system, one needs a RHEL7 datastream. Typically, the filename of that datastream is ssg-rhel7-ds.xml, as this is the name that we use in the scap-security-guide package and that file should have been selected.

- The button is in the oscap "Security Policy" spoke.

- Those URLs were examples, position of s.a. is incorrect, but it may be any of those URLs or none of them - it just depends on where the datastream ends up.

- By content I meant the datastream. The datastream typically contains several applicable security profiles.

Comment 6 Matěj Týč 2018-10-24 13:16:46 UTC
I would not omit those URL examples, as they may increase confidence about how those URLs should look like.
Next, I have realized that affected users may not be 100% certain concerning what a datastream is, so I would mention that they want to upload the ssh-rhel7-ds.xml file from the scap-security-guide package that is shipped in the corresponding version of RHEL7.

Comment 9 Matěj Týč 2018-10-25 13:58:29 UTC
Excuse me, I forgot to reply to you. I approve the last version, thank for your work!

Comment 12 Matěj Týč 2018-10-26 10:50:45 UTC
Hi Sharon, you are right - it is a package.


Note You need to log in before you can comment on or make changes to this bug.