Bug 2072987
| Summary: | [Doc] Document DISA STIG installation and usage on RHV | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Ales Musil <amusil> | |
| Component: | Documentation | Assignee: | Eli Marcus <emarcus> | |
| Status: | CLOSED NEXTRELEASE | QA Contact: | rhev-docs <rhev-docs> | |
| Severity: | high | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | unspecified | CC: | adahms, amashah, apinnick, arachman, cshao, emarcus, lsurette, lsvaty, lveyde, mavital, mhicks, mkalinin, mperina, peyu, sanja, sbonazzo, sgordon, srevivo, weiwang, yaniwang | |
| Target Milestone: | ovirt-4.5.0 | Keywords: | Documentation | |
| Target Release: | --- | Flags: | emarcus:
needinfo-
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | docscope 4.5, important | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2073293 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-18 12:51:02 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | Docs | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2015796, 2015802 | |||
| Bug Blocks: | 2073293 | |||
|
Description
Ales Musil
2022-04-07 12:23:11 UTC
How does one distinguish between DRAFT and non DRAFT profile? (In reply to Marina Kalinin from comment #1) > How does one distinguish between DRAFT and non DRAFT profile? It is in the name of the old one. "[DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)". (In reply to Ales Musil from comment #0) > RHVH: > Installation of DISA STIG profile on RHVH is not supported. > Upgrade from DRAFT DISA STIG is not supported. > > Host (not RHVH): > Installation is supported through anaconda by selecting DISA STIG security > profile. > Upgrade from DRAFT DISA STIG is not supported. Is there any specific manual step here? DISA STIG security profile requires a special disk partitioning. Any recommendation for the size of the various partitions? DISA STIG also disables root ssh access to the host. Any recommendation about this? Within DISA STIG, which profile is going to be supported? xccdf_mil.disa.stig_profile_MAC-1_Classified ? > Standalone engine: > Installation is supported through anaconda by selecting DISA STIG security > profile. > Upgrade from DRAFT DISA STIG is not supported. > > Hosted Engine: > Installation is supported through HE options, "he_apply_openscap_profile" as > "True" > and "he_openscap_profile_name" as "stig" (which is the default value). > Upgrade from DRAFT DISA STIG is not supported. (In reply to Sandro Bonazzola from comment #10) > (In reply to Ales Musil from comment #0) > > RHVH: > > Installation of DISA STIG profile on RHVH is not supported. > > Upgrade from DRAFT DISA STIG is not supported. > > > > Host (not RHVH): > > Installation is supported through anaconda by selecting DISA STIG security > > profile. > > Upgrade from DRAFT DISA STIG is not supported. > > Is there any specific manual step here? There shouldn't be any manual step required. > DISA STIG security profile requires > a special disk partitioning. Any recommendation for the size of the various > partitions? We can discuss the partition size, I am not sure if there's any recommendation from RHEL. > DISA STIG also disables root ssh access to the host. Any recommendation > about this? For RHV the profile does not disable root ssh access. > Within DISA STIG, which profile is going to be supported? > xccdf_mil.disa.stig_profile_MAC-1_Classified ? I am not sure what are you reffering to, the DISA STIG profile is xccdf_org.ssgproject.content_profile_stig. > > > > Standalone engine: > > Installation is supported through anaconda by selecting DISA STIG security > > profile. > > Upgrade from DRAFT DISA STIG is not supported. > > > > Hosted Engine: > > Installation is supported through HE options, "he_apply_openscap_profile" as > > "True" > > and "he_openscap_profile_name" as "stig" (which is the default value). > > Upgrade from DRAFT DISA STIG is not supported. new PR for changes to documentation https://github.com/oVirt/ovirt-site/pull/2899 Changes proposed in this pull request: Remove instructions for adding DISAQ STIG profile to RHVH Remove mention of DISA STIG for RHVH Add notice to Removed Functionality table in Release Notes Closed previous PR - this new PR by Ales Musil addresses the DISA STIG as well as additional security profile updates https://github.com/oVirt/ovirt-site/pull/2882 Merged the PR https://github.com/oVirt/ovirt-site/pull/2899 (In reply to Eli Marcus from comment #14) > Merged the PR https://github.com/oVirt/ovirt-site/pull/2899 Eli, when exactly this is going to be merged in documentation? With 4.5.0 or later? (In reply to Marina Kalinin from comment #15) > (In reply to Eli Marcus from comment #14) > > Merged the PR https://github.com/oVirt/ovirt-site/pull/2899 > > Eli, when exactly this is going to be merged in documentation? With 4.5.0 or > later? Hi Marina The updates are visible in the current (RHV 4.4) documentation |