1654253 – (RHV-H_4.3_STIG) [RFE] STIG compliance for RHV-H

Bug 1654253 (RHV-H_4.3_STIG) - [RFE] STIG compliance for RHV-H

Summary: [RFE] STIG compliance for RHV-H

Keywords:
Status:	CLOSED ERRATA
Alias:	RHV-H_4.3_STIG
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	redhat-virtualization-host
Sub Component:
Version:	4.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.3.3
Target Release:	4.3.0
Assignee:	Yuval Turgeman
QA Contact:	Huijuan Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:	1634239
Blocks:	1653669
TreeView+	depends on / blocked

Reported:	2018-11-28 10:29 UTC by Sandro Bonazzola
Modified:	2019-05-08 12:32 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	The current release presents the OpenSCAP security profile as an option to users installing and upgrading Red Hat Virtualization Hosts. This feature helps organizations comply with the Security Content Automation Protocol (SCAP) standards.
Clone Of:
Environment:
Last Closed:	2019-05-08 12:32:19 UTC
oVirt Team:	Node
Target Upstream Version:
Embargoed:
Flags:	huzhao: testing_plan_complete+

Attachments	(Terms of Use)
OpenSCAP Evaluation Report (640.00 KB, application/xhtml+xml) 2019-03-29 09:16 UTC, Huijuan Zhao	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1636847	high	CLOSED	No SCAP security guide on Anaconda security policy page	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2019:1053	None	None	None	2019-05-08 12:32:38 UTC
oVirt gerrit	96474	master	MERGED	stig: add openscap support to imgbased	2021-01-12 09:13:09 UTC

Internal Links: 1636847

Description Sandro Bonazzola 2018-11-28 10:29:04 UTC

We have STIG compliance for appliance tracked in bug #1392051 but we missed a tracking bug for RHV-H.
Tracking here missing parts for RHV-H.

Comment 1 cshao 2018-11-28 10:44:10 UTC

See: http://iase.disa.mil/stigs/Pages/index.aspx

Comment 3 Sandro Bonazzola 2019-02-21 15:37:30 UTC

Moving to 4.3.2 since the RHV-H profiles for STIG are not yet available.

Comment 4 Sandro Bonazzola 2019-03-12 09:22:20 UTC

Moving to 4.3.3 waiting on new profile to be ready

Comment 6 Huijuan Zhao 2019-03-29 09:12:53 UTC

Tested in rhvh-4.3.0.5-0.20190328.0, the RFE feature is available.


Test version:
# imgbase layout
rhvh-4.3.0.5-0.20190313.0
 +- rhvh-4.3.0.5-0.20190313.0+1
rhvh-4.3.0.5-0.20190328.0
 +- rhvh-4.3.0.5-0.20190328.0+1

Test steps:
1. Install rhvh-4.3.0.5-0.20190313.0, and choose the standard profile(xccdf_org.ssgproject.content_profile_standard) for "security policy" in Anaconda
2. Login rhvh, check the files in /var/lib/imgbased/openscap:
# cat /var/lib/imgbased/openscap/config
# ls -al /var/lib/imgbased/openscap/reports/
3. Upgrade rhvh to rhvh-4.3.0.5-0.20190328.0
4. Reboot and login rhvh-4.3.0.5-0.20190328.0, check the files in /var/lib/imgbased/openscap as step 2

Test results:
1. After step 2, no report file in /var/lib/imgbased/openscap/reports/
# cat /var/lib/imgbased/openscap/config
[openscap]
configured = 1
datastream = /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
profile = xccdf_org.ssgproject.content_profile_standard

2. After step 4, there is scan report file in /var/lib/imgbased/openscap/reports/
# ls -al /var/lib/imgbased/openscap/reports/
total 648
dr-xr-x---. 2 root root   4096 Mar 29 08:53 .
dr-xr-x---. 3 root root   4096 Mar 29 08:08 ..
-rw-r--r--. 1 root root 655358 Mar 29 08:33 scap-report-20190329083010.html

Open the report file scap-report-20190329083010.html via browser, can see the detailed OpenSCAP Evaluation Report.


So this RFE is solved in rhvh-4.3.0.5-0.20190328.0, move the status to VERIFIED.

Comment 7 Huijuan Zhao 2019-03-29 09:16:44 UTC

Created attachment 1549388 [details]
OpenSCAP Evaluation Report

Comment 10 Yuval Turgeman 2019-04-10 05:31:52 UTC

Not enabled by default - the user can select the profile during installation (it's part of the anaconda installer).  If the user selected a security profile during the initial installation, this profile is registered on the system and will be reapplied on upgrades automatically

Comment 12 errata-xmlrpc 2019-05-08 12:32:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1053

Note You need to log in before you can comment on or make changes to this bug.