content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Some systemd rules fail after kickstart installation

Open jan-cerny opened this issue 1 year ago • 2 comments

Description of problem:

The kickstart remediations provide a way a way to enable and disable systemd services but we don't have a way to enable and disable systemd sockets and systemd mounts in the kickstart. Unfortunately, we haven't found any feature in Kickstart Documentation that we could use for that. The current Bash remediations don't work in the installation environment. As a result, the rules for systemd mounts and systemd sockets fail.

Specifically, this problems currently manifests in these rules:

  • systemd_tmp_mount_enabled
  • socket_systemd-journal-remote_disabled

Moreover, our kickstart remediation for disabling services disables the services, but our rules require them to be masked. Some profiles explicitly require to mask the services and disabling isn't sufficient for them.

Specifically, this problem currently manifests in these rules:

  • service_nftables_disabled
  • service_bluetooth_disabled
  • service_avahi-daemon_disabled

SCAP Security Guide Version:

current upstream master branch as of 2024-08-07 as of HEAD https://github.com/ComplianceAsCode/content/commit/42c82069d1b0a632560f6b11f6ecb08f7f6d2743

Operating System Version:

RHEL 9.4

Steps to Reproduce:

  1. build rhel9
  2. generate kickstart using oscap xccdf generate fix --fix-type kickstart (using openscap-1.4.0)
  3. use the generated kickstart for operating system installation of RHEL 9.4
  4. on the installed machine run oscap xccdf eval --profile stig --results-arf arf.xml /usr/share/xml/scap/ssg-rhel9-ds.xml.

Actual Results:

Some systemd-related rules listed in the description of the problem fail after kickstart installation.

Expected Results:

Some systemd-related rules listed in the description of the problem pass after kickstart installation.

Additional Information/Debugging Steps:

We discussed this problem internally on 2024-08-07. We think that one of possible solutions is to add systemctl commands to a %post section with a --root option.

jan-cerny avatar Aug 08 '24 06:08 jan-cerny

During our work on fixing https://github.com/ComplianceAsCode/content/issues/12832 in https://github.com/ComplianceAsCode/content/pull/12856, we have discovered that another rule that is affected by the problem that the kickstart service command doesn't mask the services and only disables them is the rule service_kdump_disabled.

jan-cerny avatar Jan 20 '25 15:01 jan-cerny