Created attachment 1515201 [details] Screenshot of login error Description of problem: If "PCI-DSS v3" security profile is selected during RHVH installation, there will be an error when login RHVH system on console, though login could succeed. dell-per515-02 login: root DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:212: ... NSS Complete DEBUG:pam_pkcs11.c:272: Is it a screen saver? DEBUG:pam_pkcs11.c:287: explicit username = [root] DEBUG:pam_pkcs11.c:315: loading pkcs #11 module... DEBUG:pkcs11_lib.c:237: Looking up module in list DEBUG:pkcs11_lib.c:240: modList = 0x1964350 next = 0x0 DEBUG:pkcs11_lib.c:241: dllName= <null> DEBUG:pkcs11_lib.c:287: loading Module explictly, moduleSpec=<library="libcoolkeypk11.so" name="SmartCard"> module=libcoolkeypk11.so DEBUG:pkcs11_lib.c:291: Failed to load SmartCard software Failure to load dynamic library. ERROR:pam_pkcs11.c:318: load_pkcs11_module() failed: Password: DEBUG:pam_pkcs11.c:695: pam_sm_setcred() called DEBUG:pam_pkcs11.c:695: pam_sm_setcred() called Last login:..... libcoolkeypk11.so is missing, which is provided by installing coolkey package. "PCI-DSS v3" security policy requires 4 packages to be installed, including pam_pkcs11, esc, libreswan and aide. esc, which requires coolkey, is not included in RHVH iso. The issue now is whether esc could be included in RHVH iso, as it also requires xulrunner, which will pull in a bunch of packages that are not relevant at all (X, mesa, alsa, etc..) And whether we need to solve the "load_pkcs11_module() failed" error, when it won't cause login to fail. Version-Release number of selected component (if applicable): RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso How reproducible: 100% Steps to Reproduce: 1. Install RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso 2. Select "PCI-DSS v3" security profile on Anaconda GUI security policy page 3. Login to RHVH system on console after installation finished Actual results: 1. There is an error saying "load_pkcs11_module() failed" when login on console Expected results: 1. No error when login on console Additional info: No such error with rhel 7.6 when using the same security policy profile.
This bug is derived from Bug 1633975, where the customer selected "PCI-DSS v3" security profile during RHVH installation and failed to login to the system after installation finished. During verification of Bug 1633975, "load_pkcs11_module() failed" error occurred as above, and it could be solved by installing esc package during RHVH installation. esc package is also required by some other security policies, like "NIST 800-171", "DISA STIG". This bug is more about esc package is missing in RHVH, so change the title to make it more clear.
Let's check how much this will increase the size of the iso and re-evaluate.
without esc package: 00:01:45.572 Install 2 Packages (+596 Dependent packages) 00:01:45.572 00:01:45.572 Total size: 297 M 00:01:45.572 Total download size: 297 M 00:01:45.572 Installed size: 1.0 G with esc package: 00:07:40.404 Install 2 Packages (+655 Dependent packages) 00:07:40.404 00:07:40.439 Total size: 336 M 00:07:40.439 Total download size: 336 M 00:07:40.439 Installed size: 1.1 G Increase is around 10%. we may need to ask platform to split esc package for headless deployments and workstation deployments.
Yuval, can you check if esc package is really used or if it's meant to be used only on workstation hardening? If so a possible workaround is to provide a dummy esc package.
We are creating RHV compatible profiles and OpenSC should be replacing ESC. Closing this bug as wontfix accordingly.