Bug 2015802 - [RFE] RHV hypervisors should support running on host with DISA STIG security profile applied
Summary: [RFE] RHV hypervisors should support running on host with DISA STIG security ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm
Version: 4.4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.5.0
: 4.5.0
Assignee: Ales Musil
QA Contact: Guilherme Santos
URL:
Whiteboard:
Depends On: 1970529 2015093 2020620 2021802 2026301 2027259 2029830 2050071 2055149 2055829 2055860 2066300 2070036 2070582
Blocks: 2072987
TreeView+ depends on / blocked
 
Reported: 2021-10-20 06:41 UTC by Martin Perina
Modified: 2022-05-26 17:23 UTC (History)
11 users (show)

Fixed In Version: ovirt-engine-4.5.0.5
Doc Type: Release Note
Doc Text:
RHV Hypervisor 4.4 SP1, with exception to RHV-H, is able to run on a host with RHEL 8.6 DISA STIG openscap profile applied.
Clone Of:
Environment:
Last Closed: 2022-05-26 17:22:44 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ComplianceAsCode content pull 7961 0 None open Filter out RHEL8 STIG rules on RHV hosts 2021-12-09 12:09:24 UTC
Github oVirt ovirt-engine pull 181 0 None open fapolicy: add allow rule for vdsm-mom 2022-03-30 07:14:57 UTC
Red Hat Issue Tracker RHV-43845 0 None None None 2021-10-20 06:43:28 UTC
Red Hat Product Errata RHSA-2022:4764 0 None None None 2022-05-26 17:23:06 UTC
oVirt gerrit 117281 0 master MERGED init: Move vdsmd and supervdsmd to /usr/libexec 2021-11-08 08:14:16 UTC
oVirt gerrit 117355 0 master MERGED ansible: Fix permissions for libvirt-vnc certificates 2021-11-01 09:34:44 UTC

Description Martin Perina 2021-10-20 06:41:04 UTC 
RHV hypervisors should be able to properly run on a host where official DISA STIG profile for RHEL 8 is applied

https://www.redhat.com/en/blog/disa-has-released-red-hat-enterprise-linux-8-stig
http://static.open-scap.org/ssg-guides/ssg-rhel8-guide-stig.html
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems

If running on official DISA STIG profile is not feasible due to technical limitations, then we need to create a hardening profile for RHV hypervisors based on official DISA STIG profile, where we would have disabled DISA STIG features which blocks proper functionality of RHV hypervisor.
Comment 1 Martin Perina 2021-10-20 06:41:48 UTC 
The effort to make RHV Manager working with DISA STIG is tracked in BZ2015796
Comment 2 Sandro Bonazzola 2022-03-29 16:16:40 UTC 
We are past 4.5.0 feature freeze, please re-target.
Comment 10 cshao 2022-04-26 12:23:43 UTC 
Update:
I tested pass with the latest RHEL 8.6(RHEL-8.6.0-20220423.0-x86_64-dvd1.iso), which fapolicyd >= 1.1-6.
Comment 12 cshao 2022-05-05 08:19:50 UTC 
(In reply to cshao from comment #10)
> Update:
> I tested pass with the latest RHEL
> 8.6(RHEL-8.6.0-20220423.0-x86_64-dvd1.iso), which fapolicyd >= 1.1-6.

Verify this bug according above comments.
Comment 19 errata-xmlrpc 2022-05-26 17:22:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: RHV RHEL Host (ovirt-host) [ovirt-4.5.0] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4764
Note You need to log in before you can comment on or make changes to this bug.