Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kdump is not disabled via Kickstart remediations on RHEL-10 #12832

Open
comps opened this issue Jan 15, 2025 · 6 comments
Open

kdump is not disabled via Kickstart remediations on RHEL-10 #12832

comps opened this issue Jan 15, 2025 · 6 comments
Assignees
@jan-cerny
Labels
blocked Issue that can't be fixed in content. productization-issue Issue found in upstream stabilization process. RHEL10 Red Hat Enterprise Linux 10 product related.

Comments

@comps
Copy link
Collaborator

comps commented Jan 15, 2025

Description of problem:

According to oscap HTML report, kdump.service has ActiveState as failed, not as disabled (?).

This is possibly because RHEL-10 Anaconda forcibly activates kdump even if the (oscap-generated) kickstart has

    # Disable and enable systemd services (required for security compliance)
    services --disabled=debug-shell,autofs,kdump --enabled=pcscd,rsyslog,systemd-journald,firewalld,fapolicyd,chronyd,sshd,usbguard,auditd

Maybe it can be fixed in content, maybe adding

%addon com_redhat_kdump --disable
%end

would fix it (in OpenSCAP code?).

This %addon syntax is compatible with older RHELs too, and should arguably be present in those kickstarts as well.

There was a similar issue in the past with Anaconda: rhinstaller/kdump-anaconda-addon@06ad891 , so this may also be an Anaconda bug - we should probably contact their devel team to figure out a solution.

SCAP Security Guide Version:

master @ 60a184a

Operating System Version:

RHEL-10

Steps to Reproduce:

  1. Run custom productization as 
    --rhel 10 --arch x86_64 --test /hardening/kickstart/hipaa
    (happens on hipaa, stig and stig_gui)

Additional Information/Debugging Steps:
@comps comps added productization-issue Issue found in upstream stabilization process. RHEL10 Red Hat Enterprise Linux 10 product related. labels Jan 15, 2025
@jan-cerny
Copy link
Collaborator

OpenSCAP should be able to generate this section to the generated kickstart when a rule has a kickstart type remediation with the following contents:

kdump disable

@comps
Copy link
Collaborator Author

comps commented Jan 17, 2025

Well, seeing how these tests failed:

/hardening/kickstart/hipaa/service_kdump_disabled
/hardening/kickstart/stig/service_kdump_disabled
/hardening/kickstart/with-gui/stig_gui/service_kdump_disabled

it seems that service_kdump_disabled doesn't use that feature.

@jan-cerny
Copy link
Collaborator

Yes, it doesn't use it

@jan-cerny jan-cerny self-assigned this Jan 20, 2025
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue Jan 20, 2025
@jan-cerny
Add kickstart remediation to service_kdump_disabled
6e4bb79 
This change will cause that the kickstart file generated by OpenSCAP
will contain `%addon com_redhat_kdump --disable` section.

Fixes: ComplianceAsCode#12832
@jan-cerny jan-cerny mentioned this issue Jan 20, 2025
Merged
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue Jan 20, 2025
@jan-cerny
Add kickstart remediation to service_kdump_disabled
82ceedd 
This change will cause that the kickstart file generated by OpenSCAP
will contain `%addon com_redhat_kdump --disable` section.

Fixes: ComplianceAsCode#12832
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue Jan 20, 2025
@jan-cerny
Add kickstart remediation to service_kdump_disabled
481824c 
This change will cause that the kickstart file generated by OpenSCAP
will contain `%addon com_redhat_kdump --disable` section.

Fixes: ComplianceAsCode#12832
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this issue Jan 20, 2025
@jan-cerny
Add kickstart remediation to service_kdump_disabled
24c741f 
This change will cause that the kickstart file generated by OpenSCAP
will contain `%addon com_redhat_kdump --disable` section.

Fixes: ComplianceAsCode#12832
@jan-cerny jan-cerny mentioned this issue Jan 20, 2025
Open
@jan-cerny
Copy link
Collaborator

I have created PR #12856 where I will add the %addon com_redhat_kdump --disable to the remediation. However, that won't fix this issue - see the description there.

@Mab879 Mab879 closed this as completed in bb719a4 Jan 20, 2025
@jan-cerny jan-cerny reopened this Jan 21, 2025
@jan-cerny
Copy link
Collaborator

The PR #12856 has been merged, but the rule still fails - see the description there.

@jan-cerny jan-cerny added the blocked Issue that can't be fixed in content. label Jan 22, 2025
@comps
Copy link
Collaborator Author

comps commented Jan 23, 2025
edited
Loading

So what are the next steps if this is blocked?

Is there an Anaconda installer issue filed to change the behavior of the %addon to disable/mask the service if it doesn't do that?

Or do we "fix" it on the content side by checking service start failure and treating it as valid for "service disabled"?
Or do we add a %post script to mask the service?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jan-cerny jan-cerny

Labels
blocked Issue that can't be fixed in content. productization-issue Issue found in upstream stabilization process. RHEL10 Red Hat Enterprise Linux 10 product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@comps @jan-cerny