Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-18075

[RFE] Support the --local-files oscap argument

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • None
    • 6.10.0
    • SCAP Plugin
    • None
    • None
    • None
    • None

      +++ This bug was initially created as a clone of Bug #2081777 +++

      Description of problem:

      The new version of oscap 1.3.6, probably released around 8.6/9.0 will stop look at current working directory for the local cache of oval files. Instead it will provide explicit --local-files argument, that we'll have to start using to preserve the functionality. This has impact on the customers who use the solution from https://bugzilla.redhat.com/show_bug.cgi?id=1957288

      Expected results:

      Today we rely on the files being present in /root, the foreman_scap_client could just add such definition on the oscap >= 1.3.6. The directory may be configurable, but that would require also changes to ansible role and the puppet module to modify the config file. I think that is not mandatory for this RFE.

      Additional info:

      This should be a follow up of https://bugzilla.redhat.com/show_bug.cgi?id=1957288

      — Additional comment from on 2022-07-07T08:53:09Z

      Hello Team,

      Any workaround available for now, using which we can pass the parameter( --local-files) in the config file (/etc/foreman_scap_client/config.yaml ), so that during the scan it should refer to the file and perform the checks and upload the report to the satellite.

      Regards,

      — Additional comment from on 2022-08-24T18:35:53Z

      There is no easy workaround, the only way to make this work now is to manually patch the foreman_scap_client code on every client. This is the line, that needs to be modified

      https://github.com/theforeman/foreman_scap_client/blob/master/lib/foreman_scap_client/client.rb#L39

      — Additional comment from on 2022-12-19T05:37:22Z

      === In Red Hat Customer Portal Case 03278473 ===
      — Comment by Satyajit Das on 12/19/2022 12:37 AM —

      Hello,

      Thanks for your patience.

      We have no updates to share with you at the moment on the Bugzilla.

      However, We will keep you periodically posted with the latest developments on this Bugzilla every 30 days.

      Please let us know in case of any concerns.

      Best Regards,

      — Additional comment from on 2023-03-27T14:52:11Z

      Hello Marek,

      Any update on this bug?

      Customer from 03467244 is not happy with the progress. Please prioritize this bug.

      — Additional comment from on 2023-04-11T07:56:14Z

      There is no update we can share at this point, I'll bring that up on the next RFE triage and see whether we can prioritize over something else or not.

      — Additional comment from on 2023-04-11T14:06:39Z

      Customer has raised an escalation against the issue to seek a new status update from an Engineering perspective.
      I know that we do not give any such timelines to resolve issues however at present the customer has nothing to go on due to limited updates and this is resulting concerns of priority to their issue or any such progress.

      Business Impact.
      At present customer is not in a position to rollout openscap scans and is looking for any such "potential" timelines when this will be resolved.

      Actions:

      • Due to RME raised directly via the customer - Escalations Team have updated the BZ to seek to get further status update via Engineering.

      Regards
      Claire Davey
      Senior Escalation Manager

      — Additional comment from on 2023-04-12T06:32:44Z

      === In Red Hat Customer Portal Case 03467244 ===
      — Comment by Aniket Mahindrakar on 4/12/2023 12:02 PM —

      Hello,

      Thanks for your patience.

      We have no updates to share with you at the moment on the Bugzilla.

      However, We will keep you periodically posted with the latest developments on this Bugzilla every 30 days.

      Please let us know in case of any concerns.

      Reagard,
      Aniket Mahindrakar
      RedHat Technical Support

      "Red Hat Satellite 6.12 was released on November 16, 2022. Red Hat Satellite 6.9 has reached End Of Life on November 30, 2022. Plan the upgrade soon if not yet done. For more details related to Red Hat Satellite Product Life Cycle: https://access.redhat.com/support/policy/updates/satellite"
      "Red Hat Update Infrastructure (RHUI) version 3 will reach End Of Life on March 2, 2023. Plan the upgrade soon to RHUI version 4.
      For more details related to Product Life Cycle: https://access.redhat.com/support/policy/updates/rhui"

      — Additional comment from on 2023-04-12T09:30:38Z

      The customer as i know them privately has now reached out to me to find out if i can assist them at getting more traction on this case, would it be possible to provide a hotfix for them that solve this, they do not wish to do their own hotfix for a high profile customer.

      It looks like the customer has provided the fix in case 03467244 a simple hotfix / addon for this issue would be appreciated.

      — Additional comment from on 2023-04-21T14:27:02Z

      There are several options being considered at this point. The quickest solution may be to enforce "--local-files /root" in the foreman_scap_client, then it would work like previously described in the KCS. However we're investigating the impact on other scenarios, where external resources are not being fetched or the oval scan is simply disabled. We are also considering a different way of configuring and triggering the scan so that we get rid of some hard to maintain dependencies. I hope to have some better clarity around this next week.

      Also, please don't use satellite6-bugs for need info, it's not monitored. It's probably best to needinfo me in this RFE if needed.

      — Additional comment from on 2023-05-02T17:38:57Z

      The WIP can be observed at https://github.com/theforeman/foreman_scap_client/pull/41, once this is merged, we can release new version of foreman_scap_client, that should be able to detect the version of the oscap and enforce --local-files /root use, to mimic the same behavior as before the patch.

      — Additional comment from on 2023-05-09T15:13:28Z

      The new version of foreman_scap_client 0.5.1 was released in the upstream and includes the fix.

      — Additional comment from on 2023-05-09T15:14:55Z

      This will naturally land in 6.14, but we need to get this to the z-streams asap.

      — Additional comment from on 2023-06-01T14:11:20Z

      Created attachment 1968314
      hotfix rpm

      — Additional comment from on 2023-06-01T14:11:52Z

      Created attachment 1968315
      hotfix doc rpm

      — Additional comment from on 2023-06-01T14:13:09Z

      Hotfix instructions:

      1. Download the RPM's from the BZ to a folder on the satellite and cd to that directory
      2. # yum localinstall *
      3. # foreman-maintain service restart

      — Additional comment from on 2023-06-02T10:05:09Z

      This package is typically installed on scanned hosts, not Satellite itself. People need to distribute this to their hosts.

              jira-bugzilla-migration RH Bugzilla Integration
              jira-bugzilla-migration RH Bugzilla Integration
              Adarsh Dubey Adarsh Dubey
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: