2029830 – [RFE] Hosted engine should accept OpenSCAP profile name instead of bool

Bug 2029830 - [RFE] Hosted engine should accept OpenSCAP profile name instead of bool

Summary: [RFE] Hosted engine should accept OpenSCAP profile name instead of bool

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-hosted-engine-setup
Sub Component:
Version:	4.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.5.0
Target Release:	4.5.0
Assignee:	Asaf Rachmani
QA Contact:	Petr Kubica
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2068318 (view as bug list)
Depends On:
Blocks:	2015802 2030226 2030596
TreeView+	depends on / blocked

Reported:	2021-12-07 12:04 UTC by Ales Musil
Modified:	2022-08-18 13:15 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ovirt-hosted-engine-setup-2.6.1-1 ovirt-ansible-collection-2.0.0-0.6.BETA.el8
Doc Type:	Enhancement
Doc Text:	With this release, the self-hosted engine installation supports selecting either DISA STIG or PCI-DSS security profiles for the self-hosted engine VM.
Clone Of:
Environment:
Last Closed:	2022-05-26 17:22:44 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	oVirt ovirt-ansible-collection pull 411	None	open	roles: hosted_engine_setup: Add an option to define OpenSCAP security profile name	2021-12-30 11:36:01 UTC
Github	oVirt ovirt-hosted-engine-setup pull 12	None	open	src: Add an option to choose OpenSCAP security profile name	2022-01-03 12:05:45 UTC
Red Hat Issue Tracker	RHV-44156	None	None	None	2021-12-07 12:07:26 UTC
Red Hat Knowledge Base (Solution)	5305631	None	None	None	2022-03-25 06:33:47 UTC
Red Hat Product Errata	RHSA-2022:4764	None	None	None	2022-05-26 17:23:06 UTC

Description Ales Musil 2021-12-07 12:04:55 UTC

Description of problem:
Currently the OpenSCAP profile is activated by 
OVEHOSTED_VM/applyOpenScapProfile=bool:True. This does not allow
to specify which profile will be used. 

It would be beneficial if the profile variable accepted profile name e.g. xccdf_org.ssgproject.content_profile_stig.

Comment 1 Martin Perina 2021-12-08 08:30:29 UTC

We should also be able to support PCI-DSS security profile: xccdf_org.ssgproject.content_profile_pci-dss

Comment 4 Sandro Bonazzola 2022-03-25 06:33:47 UTC

*** Bug 2068318 has been marked as a duplicate of this bug. ***

Comment 5 Petr Kubica 2022-05-05 13:55:54 UTC

Verified in
ovirt-ansible-collection-2.0.3-1.el8ev.noarch
ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch

Deploy questions were changed and now it is possible to choose from two profiles:

          Do you want to apply an OpenSCAP security profile? (Yes, No) [No]: yes
          Please provide the security profile you would like to use (stig, pci-dss) [stig]: stig

Comment 12 errata-xmlrpc 2022-05-26 17:22:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: RHV RHEL Host (ovirt-host) [ovirt-4.5.0] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4764

Note You need to log in before you can comment on or make changes to this bug.