Bug 1791583 - [DOC] C2S security profile - services are now masked instead of disabled
Summary: [DOC] C2S security profile - services are now masked instead of disabled
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 7.9
Assignee: Watson Yuuma Sato
QA Contact: Marek Haicman
Mirek Jahoda
Depends On:
TreeView+ depends on / blocked
Reported: 2020-01-16 08:17 UTC by Steffen Froemer
Modified: 2020-05-20 07:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
.`SCAP Security Guide` now correctly disables services With this update, the `SCAP Security Guide` (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4736311 None None None 2020-01-16 08:17:07 UTC

Description Steffen Froemer 2020-01-16 08:17:07 UTC
Description of problem:
The behavior of disabling services changed between RHEL-7.7 and RHEL-7.8. This should be mentioned somewhere (e.g. release notes)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RHEL-7.8 beta with chosing C2S security profile directly inside anaconda (including nfs-utils, e.g.)
2. start nfs-server afterwards

Actual results:
Service can't be started

Expected results:
The requirement to unmask the services before possible to start should be notes in release notes, that this behavior changed. In C2S-profile of RHEL-7.7 the services were only disabled.

Additional info:

Note You need to log in before you can comment on or make changes to this bug.