Bug 1699787
| Summary: | Insights reports on SMBLoris after IdM installation, due to missing configuration | ||
|---|---|---|---|
| Product: | Red Hat Hybrid Cloud Console (console.redhat.com) | Reporter: | Oliver Falk <ofalk> |
| Component: | Insights - Rules | Assignee: | Jaylin Zhou <zzhou> |
| Status: | CLOSED DUPLICATE | QA Contact: | Jeff Needle <jneedle> |
| Severity: | high | Docs Contact: | Kevin Blake <kblake> |
| Priority: | high | ||
| Version: | unspecified | CC: | abokovoy, jnewton, peter.vreman, pvoborni, rcritten, robwilli, skontar, tscherf, zzhou |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-24 10:39:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low. This BZ is for IdM product and not Insights. The IPA installer creates an almost empty smb.conf that misses the 'max smbd processes = 1000' entry Moving this to RHEL/ipa, since it only happens after ipa-adtrust-install.
BTW: This does actually _start_ SMB, but doesn't _enable_ it:
# for x in enabled active; do systemctl is-$x smb; done
disabled
active
The configuration is as intended. IdM manages all services by itself because they are configured across a cluster of nodes with LDAP storage. On a specific node 'ipa.service' systemd service is responsible to start other services. Thus, no individual units should be enabled. Insights need to fix their own rules to take IdM presence into account. This is not a first rule in Insights that has no clue about IdM configuration and as a matter of fact needs to be modified. If you need more details, please contact IdM developers for more detailed information. Hi Alex! I'll reopen this one. Reopening and adapting title.
The issue here really is that the smb.conf is missing the following line:
max smbd processes = 1000
In order to mitigate SMBLoris.
Oliver, while I can change the default in our smb.conf template (we have a generic bug https://bugzilla.redhat.com/show_bug.cgi?id=1449133 for this already), I think you need to change Insights rules to: - spell out real issue you are checking for - not trigger this rule on IdM masters as it is. Thus, I'd rather reuse this bug on Insights side and do IPA changes in existing bug. OK. To summarize this now.
The rule that is being triggered is the following:
Security > Samba with externally listening process vulnerable to a denial of service via NetBIOS Session Service header (SMBLoris)
Therefore the change to the template via RHBZ#1449133 _is_ required. Shall I put a comment there?
And maybe I pointed you in the wrong direction in comment#4 - sorry for that.
I did add a comment there already Hi Alex! Thanks a lot. I'll close this RHBZ therefore and add the other to the customer case. *** This bug has been marked as a duplicate of bug 1449133 *** |
Description of problem: The rule 'Security > Samba with externally listening process vulnerable to a denial of service via NetBIOS Session Service header (SMBLoris)' in Insights is triggered after installation of IdM, since Samba is getting installed. However, the issue here is that Samba isn't enabled and therefore the rule doesn't really make too much sense. Version-Release number of selected component (if applicable): - How reproducible: Always Steps to Reproduce: 1. ipa-install-server 2. Check Insights report - something like the following can be seen: This machine is vulnerable because: It has the following vulnerable Samba server package installed: samba-4.8.3-4.el7 The smb service is running. The system is listening on port 445. Port 445 appears to be open to the internet. Actual results: Rule is triggered although Samba isn't enabled. Expected results: If Samba isn't enabled, this rule shouldn't be triggered. Additional info: Customer case will be linked in a hurry.