Help-Known-Issues.txt

Our journey towards perfection is still a WiP so here are the CLIP known
issues:

=============================================================================
CLIP for RHEL 6.7 Final Release - February 2016:

- OpenSCAP has a double free when using a certain version of glibc on RHEL 6.7.
  It doesn't occur on all systems, but we have experienced it creating live 
  images with glibc-2.12-1.166.el6.x86_64.rpm. The way we fixed it is by
  updating to the latest packages by running "yum update".

  We believe the issue is related to this bug:
  https://fedorahosted.org/openscap/ticket/442

- There is an issue with version  nss-softokn-3.14.3-22.el6_6.x86_64 and
  anaconda-13.21.229-1.el6.centos.x86_64.  anaconda contains a static list
  of files to include in the initrd.  nss-softokn, in the version above,
  introduces a new library that should have been included via an update to
  anaconda.  This causes RPM signature validation to fail and no packages are
  actually installed.  Of course the anaconda UI doesn't tell you this... and
  it fails when it tries to set the root password as /etc/passwd isn;t
  present. And of course the traceback isn't helpful.  It tells you there was
  a problem in setUserPasswd() and leaves you to track it down by trawling
  through /tmp/log and /mnt/sysimg/root/install.log.  But I digress and there
  will likely be an updated anaconda as no one can roll an installable ISO
  without patching anaconda.  Our work-around is to use anaconda's update
  feature that allows you to hot-patch anaconda's initrd before anaconda
  itself is started. So we check for the the culprit package and include an
  update image in the rolled ISO.  That was a mouthful.

=============================================================================
CLIP for RHEL 6.6 Final Release - Aprilish 2015:

- Build-system specific (probably) - kernel 2.6.32-504.12.2.el6.x86_64 causes
  panics when building CLIP.  It appears to come from problems in chroot 
  environments and typically happens when mock is running. We recommend using
  2.6.32-358.el6.x86_64.  Do this by setting the default= in
  /boot/grub/grub.conf to the number of the 358 kernel.  Remember it is
  zero-based so if 358 is is the second entry, set default=1.

- There appears to be a bug causing anaconda not to include the correct kernel
  modules in the initrd.  This appears to be an issue in CLIP.  The
  manifestation is that you will see messages during boot stating kernel
  modules were not found.  Then, you will be prompted for the path to the
  kickstart.  That will continually fail as no kernel module is available for
  the CDROM device.  The current work-around is to run "make bare" and then
  rebuild the desired ISO like usual.

  I believe this is related to using a commitish in this path:
	./tmp/clip-sftp-dropbox/7e2d5ae/x86_64/os/Packages

- There is an issue with version  nss-softokn-3.14.3-22.el6_6.x86_64 and
  anaconda-13.21.229-1.el6.centos.x86_64.  anaconda contains a static list
  of files to include in the initrd.  nss-softokn, in the version above,
  introduces a new library that should have been included via an update to
  anaconda.  This causes RPM signature validation to fail and no packages are
  actually installed.  Of course the anaconda UI doesn't tell you this... and
  it fails when it tries to set the root password as /etc/passwd isn;t
  present. And of course the traceback isn't helpful.  It tells you there was
  a problem in setUserPasswd() and leaves you to track it down by trawling
  through /tmp/log and /mnt/sysimg/root/install.log.  But I digress and there
  will likely be an updated anaconda as no one can roll an installable ISO
  without patching anaconda.  Our work-around is to use anaconda's update
  feature that allows you to hot-patch anaconda's initrd before anaconda
  itself is started. So we check for the the culprit package and include an
  update image in the rolled ISO.  That was a mouthful.

=============================================================================
CLIP for RHEL 6.2 Final Release - Novemberish 2012:

- useradd has a bug that causes problems with a SELinux policy that lacks a
  __default__ user mapping, a specific user mapping for the user being added
(eg bob->staff_u), and user_u is missing.  Thus CLIP must include user_u for
useradd to work correctly.  We suggest the following workflow:
  - "# useradd -Z staff_u -m bob"
  - "# genhomedircon"
  - "# restorecon -R /home/bob"
  Note this appears to be related to another policycoreutils bug that we 
  filed with and confirmed by Red Hat.  If the fix for that issue doesn't 
  also fix this problem we will open another bug.

- scap-security-guide uses a hard coded /usr/local for the install directory.
  The CLIP team submitted a patch (a long, long time ago) to fix this but it 
  has not been accepted upstream.  Since this is a minor issue, CLIP is *not* 
  patching SSG to fix it.

- We (almost) have the ability to roll LiveCDs which are great for stateless
  solutions. While the system works for RHEL 5, we are having issues with
  dracut in RHEL 6.  As a result, LiveCDs don't work out of the box.  We're
  open to patches from the community to fix this issue :)

- There are multiple probes which appear to be working improperly.  The
  specified requirement appears to be met, yet the OVAL check fails. We
suspect that the following items are false negatives, due to faulty probes. We
will follow up with the openscap community and get these items resolved for
future versions.
	- set_password_hashing_algorithm
	- bootloader_auditd_argument
	- set_system_login_banner
	- audit_mac_changes
	- bootloader_nousb_argument
	- set_sysctl_net_ipv4_conf_all_log_martians
	- set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
	- set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
	- set_sysctl_net_ipv4_conf_all_rp_filter
	- set_sysctl_net_ipv4_conf_default_rp_filter
	- enable_randomize_va_space
        - set_password_hashing_algorithm
        - bootloader_auditd_argument
        - set_system_login_banner
        - mount_option_dev_shm_nodev
        - mount_option_dev_shm_noexec
        - mount_option_dev_shm_nosuid
	- iptables_smtp_enabled
	- enable_execshield
	- mount_option_tmp_nodev
	- mount_option_tmp_noexec
	- mount_option_tmp_nosuid
	- mount_option_dev_shm_nodev
	- mount_option_dev_shm_noexec
	- mount_option_dev_shm_nosuid

- We have made minor updates to the oss.tresys.com/projects/clip website.
  More changes are necessary but are not considered a blocker for release.
=============================================================================

=============================================================================
CLIP for RHEL 6.2 Beta Release - September 20ish, 2012:

- useradd has a bug that causes problems with a SELinux policy that lacks a
  __default__ user mapping, a specific user mapping for the user being added
(eg bob->staff_u), and user_u is missing.  Thus CLIP must include user_u for
useradd to work correctly.  We suggest the following workflow:
  - "# useradd -Z staff_u -m bob"
  - "# genhomedircon"
  - "# restorecon -R /home/bob"

- CLIP is targeted at DCID 6/3 PL4 High/High requirements.  Tresys wrote
  remediation content supporting those requirements.  Unfortunately the
  requirements are not releasable. Thus we are using a "generic" SCAP/SecState
  profile that contains requirements that are not relevant.  This means that the
  audit report generated by SecState is slightly misleading as many of the
  failures are the result of OVAL checks that do not have corresponding
  remediation.  We have a solution to this issue that will be included in the
  final release.  We will be shipping a profile that selects DCID SCAP and
  remediation content, but does so without any prose from the requirement
  document itself.

- The SELinux policy does not contain support for SecState yet.  It works in
  the kickstart, but will not work in enforcing mode at run-time.  If you wish
  to use it at run-time, prior to the final CLIP release, please put the system
  in permissive mode temporarily:
  `sudo /usr/sbin/setenforce 0`
  `sudo /usr/bin/secstate audit`
  `sudo /usr/bin/secstate remediate`
  `sudo /usr/sbin/setenforce 1`

- scap-security-guide uses a hard coded /usr/local for the install directory.
  The CLIP team submitted a patch to fix this but it has not been accepted
  upstream.  Since this is a minor issue, CLIP is *not* patching SSG to fix
  it.

- We (almost) have the ability to roll LiveCDs which are great for stateless
  solutions. While the system works for RHEL 5, we are having issues with
  dracut in RHEL 6. I hope to have these addressed by the final release but this
  is not a blocker.

	
- We have made minor updates to the oss.tresys.com/projects/clip website. A
  needs some more work but has progressed since the beta release.
=============================================================================


=============================================================================
CLIP for RHEL 6.2 Alpha Release - July 17ish, 2012:

- SELinux policy needs more work to boot in enforcing mode.  This is a blocker
  for our beta release thus the beta will include a policy that supports a
  default CLIP configuration in enforcing mode.

- We have the ability to roll LiveCDs which are great for stateless solutions.
  While the system works for RHEL 5, we are having issues with dracut in RHEL
  6. I hope to have these addressed by the beta release but this is not a
  blocker.

- We have not updated the oss.tresys.com/projects/clip website (aside adding
  links to the new releases).  This will be done for beta and final releases.

- Secstate is only able to audit certain sub-groups of scap-security-guide.
  OpenSCAP segfaults when attempting to audit the entire XCCDF.  The groups
  with x's below are the ones which can be audited with a
  `secstate select -r RHEL-6 [group-name]; secstate audit`:
[x] services
[ ] system
    [x] software
    [ ] permissions
        [ ] partitions
        [x] mounting
        [x] files
        [x] restrictions
    [x] selinux
    [ ] accounts
        [x] accounts-restricitons
        [x] accounts-pam
        [x] accounts-session
        [x] accounts-physical
        [ ] accounts-banners
    [ ] network
        [x] network_disable_unused_interfaces
        [x] network_disable_zeroconf
        [x] network_sniffer_disabled
        [x] network-kernel
        [ ] network-wireless
        [x] network-ipv6
        [x] network-iptables
        [x] network-ssl
        [x] network-uncommon
        [x] networking-ipsec
    [x] logging

Instead of selecting the content by hand you can alternatively execute
these commands:
## START COMMANDS ##
secstate deselect -r RHEL-6
secstate select -r RHEL-6 intro
secstate select -r RHEL-6 software
secstate select -r RHEL-6 mounting
secstate select -r RHEL-6 files
secstate select -r RHEL-6 restrictions
secstate select -r RHEL-6 selinux
secstate select -r RHEL-6 accounts-restrictions
secstate select -r RHEL-6 accounts-pam
secstate select -r RHEL-6 accounts-session
secstate select -r RHEL-6 accounts-physical
secstate select -r RHEL-6 network_disable_unused_interfaces
secstate select -r RHEL-6 network_disable_zeroconf
secstate select -r RHEL-6 network_sniffer_disabled
secstate select -r RHEL-6 network-kernel
secstate select -r RHEL-6 network-ipv6
secstate select -r RHEL-6 network-iptables
secstate select -r RHEL-6 network_ssl
secstate select -r RHEL-6 network-uncommon
secstate select -r RHEL-6 network-ipsec
secstate select -r RHEL-6 logging
secstate select -r RHEL-6 services
## END COMMANDS ##


- `secstate remediate` still needs to be able to work for audits, using
  `secstate remediate -x [audit-results.xml].  This issue will hopefully be
  addressed by the beta release.

- scap-security-guide uses a hard coded /usr/local for the install directory.
  This needs to be shifted to use `${DESTDIR}`, which defaults to /usr/local
  if no usr exists.
=============================================================================