From 04521f5c5c1beb31a5be9a9c43d3fceb409484ec Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 18 Mar 2019 15:22:49 -0400 Subject: [PATCH 01/34] Update the Insights action plugin to make calls against the new API --- awx/playbooks/action_plugins/insights.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/awx/playbooks/action_plugins/insights.py b/awx/playbooks/action_plugins/insights.py index 34ebd8c7cd..26fd4cd754 100644 --- a/awx/playbooks/action_plugins/insights.py +++ b/awx/playbooks/action_plugins/insights.py @@ -9,8 +9,9 @@ from ansible.plugins.action import ActionBase class ActionModule(ActionBase): - def save_playbook(self, proj_path, plan, content): - fname = '{}-{}.yml'.format(plan.get('name', None) or 'insights-plan', plan['maintenance_id']) + def save_playbook(self, proj_path, remediation, content): + fname = '{}-{}.yml'.format( + remediation.get('name', None) or 'insights-remediation', remediation['id']) file_path = os.path.join(proj_path, fname) with open(file_path, 'wb') as f: f.write(content) @@ -55,7 +56,7 @@ class ActionModule(ActionBase): } - url = '{}/r/insights/v3/maintenance?ansible=true'.format(insights_url) + url = '{}/r/insights/platform/remediations/v1/remediations?sort=-updated_at'.format(insights_url) res = session.get(url, headers=headers, timeout=120) @@ -79,8 +80,9 @@ class ActionModule(ActionBase): result['version'] = version return result - for item in res.json(): - url = '{}/r/insights/v3/maintenance/{}/playbook'.format(insights_url, item['maintenance_id']) + for item in res.json()['remediations']: + url = '{}/r/insights/platform/remediations/v1/remediations/{}/playbook'.format( + insights_url, item['id']) res = session.get(url, timeout=120) if res.status_code != 200: result['failed'] = True From 8fdc53cb219dab01fdf5be0fec9e77b717c8c01b Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 18 Mar 2019 15:40:38 -0400 Subject: [PATCH 02/34] Update the Insights API endpoint for getting the reports for a host --- awx/api/views/__init__.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 78baf63d7e..43a229f39d 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1670,7 +1670,13 @@ class HostInsights(GenericAPIView): else: return Response(dict(error=_('The Insights Credential for "{}" was not found.').format(host.inventory.name)), status=status.HTTP_404_NOT_FOUND) - url = settings.INSIGHTS_URL_BASE + '/r/insights/v3/systems/{}/reports/'.format(host.insights_system_id) + # FIXME: I know that this isn't correct, we need to do an + # additional API call to /hosts to find what the Platform ID + # is for this host based on its Insights system ID. + platform_id = host.insights_system_id + + url = '{}/r/insights/platform/advisor/v1/system/{}/reports/'.format( + settings.INSIGHTS_URL_BASE, platform_id) (username, password) = self._extract_insights_creds(cred) (msg, err_code) = self.get_insights(url, username, password) return Response(msg, status=err_code) From 95b17892eebb3a02606ef3c445e46a0a261bd3b7 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 18 Mar 2019 16:37:48 -0400 Subject: [PATCH 03/34] Factor out the response handling boilerplate from HostInsights.get_insights We'll want to reuse it for the API call to /hosts as well. --- awx/api/views/__init__.py | 51 +++++++++++++++++++-------- awx/main/tests/unit/api/test_views.py | 2 +- 2 files changed, 38 insertions(+), 15 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 43a229f39d..f669e5edb4 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1635,49 +1635,72 @@ class HostInsights(GenericAPIView): } return session.get(url, headers=headers, timeout=120) - def get_insights(self, url, username, password): + def _call_insights_api(self, url, username, password): try: res = self._get_insights(url, username, password) except requests.exceptions.SSLError: - return (dict(error=_('SSLError while trying to connect to {}').format(url)), status.HTTP_502_BAD_GATEWAY) + return (dict(error=_('SSLError while trying to connect to {}').format(url)), + status.HTTP_502_BAD_GATEWAY) except requests.exceptions.Timeout: - return (dict(error=_('Request to {} timed out.').format(url)), status.HTTP_504_GATEWAY_TIMEOUT) + return (dict(error=_('Request to {} timed out.').format(url)), + status.HTTP_504_GATEWAY_TIMEOUT) except requests.exceptions.RequestException as e: - return (dict(error=_('Unknown exception {} while trying to GET {}').format(e, url)), status.HTTP_502_BAD_GATEWAY) + return (dict(error=_('Unknown exception {} while trying to GET {}').format(e, url)), + status.HTTP_502_BAD_GATEWAY) if res.status_code == 401: - return (dict(error=_('Unauthorized access. Please check your Insights Credential username and password.')), status.HTTP_502_BAD_GATEWAY) + msg = _('Unauthorized access. Please check your Insights Credential username and password.') + return (dict(error=msg), status.HTTP_502_BAD_GATEWAY) elif res.status_code != 200: - return (dict(error=_( - 'Failed to gather reports and maintenance plans from Insights API at URL {}. Server responded with {} status code and message {}' - ).format(url, res.status_code, res.content)), status.HTTP_502_BAD_GATEWAY) + msg = _( + 'Failed to access the Insights API at URL {}.' + ' Server responded with {} status code and message {}' + ).format(url, res.status_code, res.content) + return (dict(error=msg), status.HTTP_502_BAD_GATEWAY) try: - filtered_insights_content = filter_insights_api_response(res.json()) - return (dict(insights_content=filtered_insights_content), status.HTTP_200_OK) + res.json() except ValueError: - return (dict(error=_('Expected JSON response from Insights but instead got {}').format(res.content)), status.HTTP_502_BAD_GATEWAY) + return (dict(error=_('Expected JSON response from Insights but instead got {}').format(res.content)), + status.HTTP_502_BAD_GATEWAY) + + return res + + def get_insights(self, url, username, password): + res = self._call_insights_api(url, username, password) + if isinstance(res, tuple): # This value was constructed based on a bad response from the API. + return res + + filtered_insights_content = filter_insights_api_response(res.json()) + return (dict(insights_content=filtered_insights_content), status.HTTP_200_OK) def get(self, request, *args, **kwargs): host = self.get_object() cred = None if host.insights_system_id is None: - return Response(dict(error=_('This host is not recognized as an Insights host.')), status=status.HTTP_404_NOT_FOUND) + return Response( + dict(error=_('This host is not recognized as an Insights host.')), + status=status.HTTP_404_NOT_FOUND + ) if host.inventory and host.inventory.insights_credential: cred = host.inventory.insights_credential else: - return Response(dict(error=_('The Insights Credential for "{}" was not found.').format(host.inventory.name)), status=status.HTTP_404_NOT_FOUND) + return Response( + dict(error=_('The Insights Credential for "{}" was not found.').format(host.inventory.name)), + status=status.HTTP_404_NOT_FOUND + ) # FIXME: I know that this isn't correct, we need to do an # additional API call to /hosts to find what the Platform ID # is for this host based on its Insights system ID. platform_id = host.insights_system_id + (username, password) = self._extract_insights_creds(cred) + url = '{}/r/insights/platform/advisor/v1/system/{}/reports/'.format( settings.INSIGHTS_URL_BASE, platform_id) - (username, password) = self._extract_insights_creds(cred) (msg, err_code) = self.get_insights(url, username, password) return Response(msg, status=err_code) diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py index b690285295..f27f4f1a15 100644 --- a/awx/main/tests/unit/api/test_views.py +++ b/awx/main/tests/unit/api/test_views.py @@ -148,7 +148,7 @@ class TestHostInsights(): (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore') assert msg['error'] == ( - 'Failed to gather reports and maintenance plans from Insights API at URL' + 'Failed to access the Insights API at URL' ' https://myexample.com/whocares/me/. Server responded with 500 status code ' 'and message mock 500 err msg') From f4b0910e98f7267457a9711a41d0c0386d7c5b58 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 18 Mar 2019 16:57:58 -0400 Subject: [PATCH 04/34] Call out to the Insights API to get the Platform ID for a host Since the new reports endpoint requires that, rather than the Insights system ID that we've been using (and storing on the Host model). --- awx/api/views/__init__.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index f669e5edb4..7e564082bf 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1692,16 +1692,18 @@ class HostInsights(GenericAPIView): status=status.HTTP_404_NOT_FOUND ) - # FIXME: I know that this isn't correct, we need to do an - # additional API call to /hosts to find what the Platform ID - # is for this host based on its Insights system ID. - platform_id = host.insights_system_id - (username, password) = self._extract_insights_creds(cred) - url = '{}/r/insights/platform/advisor/v1/system/{}/reports/'.format( + host_url = '{}/r/insights/platform/inventory/api/v1/hosts?insights_id={}'.format( + settings.INSIGHTS_URL_BASE, host.insights_system_id) + res = self._call_insights_api(host_url, username, password) + if isinstance(res, tuple): # This value was constructed based on a bad response from the API. + return Response(res[0], status=res[1]) + platform_id = res.json()['results'][0]['id'] + + reports_url = '{}/r/insights/platform/advisor/v1/system/{}/reports/'.format( settings.INSIGHTS_URL_BASE, platform_id) - (msg, err_code) = self.get_insights(url, username, password) + (msg, err_code) = self.get_insights(reports_url, username, password) return Response(msg, status=err_code) From 05f670a6d9e787a46363bb90930b0d0cc6bba745 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Fri, 22 Mar 2019 11:03:21 -0400 Subject: [PATCH 05/34] Update the filter_insights_api_response() utility function in order to conform the output of the new Insights Advisor report endpoint to our expections. --- awx/main/utils/insights.py | 66 ++++++++++++++++++++------------------ 1 file changed, 35 insertions(+), 31 deletions(-) diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py index dc4901e609..4e77b105f1 100644 --- a/awx/main/utils/insights.py +++ b/awx/main/utils/insights.py @@ -2,42 +2,46 @@ # All Rights Reserved. -def filter_insights_api_response(json): - new_json = {} - ''' - 'last_check_in', - 'reports.[].rule.severity', - 'reports.[].rule.description', - 'reports.[].rule.category', - 'reports.[].rule.summary', - 'reports.[].rule.ansible_fix', - 'reports.[].rule.ansible', - 'reports.[].maintenance_actions.[].maintenance_plan.name', - 'reports.[].maintenance_actions.[].maintenance_plan.maintenance_id', - ''' +# Old Insights API -> New API +# +# last_check_in -> checked_on +# reports[] -> active_reports[] +# reports[].rule.{description,summary} -> active_reports[].rule.{description,summary} +# reports[].rule.category -> active_reports[].rule.category.name +# reports[].rule.severity (str) -> active_reports[].rule.total_risk (int) - if 'last_check_in' in json: - new_json['last_check_in'] = json['last_check_in'] - if 'reports' in json: +# reports[].rule.{ansible,ansible_fix} appears to be unused +# reports[].maintenance_actions[] missing entirely, will be provided +# by a different Insights endpoint + + +def filter_insights_api_response(json): + severity_mapping = { + 1: 'INFO', + 2: 'WARN', + 3: 'ERROR', + 4: 'CRITICAL' + } + + new_json = {} + if 'checked_on' in json: + new_json['last_check_in'] = json['checked_on'] + if 'active_reports' in json: new_json['reports'] = [] - for rep in json['reports']: + for rep in json['active_reports']: new_report = { 'rule': {}, - 'maintenance_actions': [] + 'maintenance_actions': [] # This will be populated by a different API call } - if 'rule' in rep: - for k in ['severity', 'description', 'category', 'summary', 'ansible_fix', 'ansible',]: - if k in rep['rule']: - new_report['rule'][k] = rep['rule'][k] + rule = rep.get('rule') or {} + for k in ['description', 'summary']: + if k in rule: + new_report['rule'][k] = rule[k] + if 'category' in rule: + new_report['category'] = rule['category']['name'] + if rule.get('total_risk') in severity_mapping: + new_report['severity'] = severity_mapping[rule['total_risk']] - for action in rep.get('maintenance_actions', []): - new_action = {'maintenance_plan': {}} - if 'maintenance_plan' in action: - for k in ['name', 'maintenance_id']: - if k in action['maintenance_plan']: - new_action['maintenance_plan'][k] = action['maintenance_plan'][k] - new_report['maintenance_actions'].append(new_action) - new_json['reports'].append(new_report) + return new_json - From f01a936202e3df51e959bfbdd49d1300023edcb2 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Fri, 22 Mar 2019 15:10:37 -0400 Subject: [PATCH 06/34] Update the test for filter_insights_api_response() and fix the data nesting issue that it uncovered. --- awx/main/tests/data/insights.json | 1156 ++++++++------------ awx/main/tests/unit/utils/test_insights.py | 25 +- awx/main/utils/insights.py | 4 +- 3 files changed, 449 insertions(+), 736 deletions(-) diff --git a/awx/main/tests/data/insights.json b/awx/main/tests/data/insights.json index 204985ab2f..00214fa0cd 100644 --- a/awx/main/tests/data/insights.json +++ b/awx/main/tests/data/insights.json @@ -1,724 +1,436 @@ { - "toString": "$REDACTED$", - "isCheckingIn": false, - "system_id": "11111111-1111-1111-1111-111111111111", - "display_name": null, - "remote_branch": null, - "remote_leaf": null, - "account_number": "1111111", - "hostname": "$REDACTED$", - "parent_id": null, - "system_type_id": 105, - "last_check_in": "2017-07-21T07:07:29.000Z", - "stale_ack": false, - "type": "machine", - "product": "rhel", - "created_at": "2017-07-20T17:26:53.000Z", - "updated_at": "2017-07-21T07:07:29.000Z", - "unregistered_at": null, - "reports": [{ - "details": { - "vulnerable_setting": "hosts: files dns myhostname", - "affected_package": "glibc-2.17-105.el7", - "error_key": "GLIBC_CVE_2015_7547" - }, - "id": 955802695, - "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A critical security flaw in the glibc library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.

\n", - "generic_html": "

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", - "more_info_html": "\n", - "severity": "ERROR", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", - "error_key": "GLIBC_CVE_2015_7547", - "plugin": "CVE_2015_7547_glibc", - "description": "Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)", - "summary": "A critical security flaw in the `glibc` library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.", - "generic": "The `glibc` library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the `libresolv` part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when `libresolv` is called from the nss_dns NSS service module. This flaw is known as [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).", - "reason": "

This host is vulnerable because it has vulnerable package glibc-2.17-105.el7 installed and DNS is enabled in /etc/nsswitch.conf:

\n
hosts:      files dns myhostname\n

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2168451", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:35.000Z", - "rec_impact": 4, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends updating glibc and restarting the affected system:

\n
# yum update glibc\n# reboot\n

Alternatively, you can restart all affected services, but because this vulnerability affects a large amount of applications on the system, the best solution is to restart the system.

\n" - }, - "maintenance_actions": [{ - "done": false, - "id": 305205, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 305955, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "affected_kernel": "3.10.0-327.el7", - "error_key": "KERNEL_CVE-2016-0728" - }, - "id": 955802705, - "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as CVE-2016-0728.

\n", - "generic_html": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

Red Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", - "error_key": "KERNEL_CVE-2016-0728", - "plugin": "CVE_2016_0728_kernel", - "description": "Kernel key management subsystem vulnerable to local privilege escalation (CVE-2016-0728)", - "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).", - "generic": "A vulnerability in the Linux kernel rated **Important** was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n\nRed Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the [systemtap patch](https://bugzilla.redhat.com/attachment.cgi?id=1116284&action=edit) to update your running kernel.", - "reason": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

The host is vulnerable as it is running kernel-3.10.0-327.el7.

\n", - "type": null, - "more_info": "* For more information about the flaws and versions of the package that are vulnerable see [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2130791", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:37.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update kernel and reboot. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n
# yum update kernel\n# reboot\n-or-\n# debuginfo-install kernel     (or equivalent)\n# stap -vgt -Gfix_p=1 -Gtrace_p=0 cve20160728e.stp\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 305215, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 306205, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "processes_listening_int": [ - ["neutron-o", "127.0.0.1", "6633"], - ["ovsdb-ser", "127.0.0.1", "6640"] - ], - "processes_listening_ext": [ - ["CPU", "0.0.0.0", "5900"], - ["libvirtd", "", "::16509"], - ["master", "", ":1:25"], - ["qemu-kvm", "0.0.0.0", "5900"], - ["vnc_worke", "0.0.0.0", "5900"], - ["worker", "0.0.0.0", "5900"] - ], - "error_key": "OPENSSL_CVE_2016_0800_DROWN_LISTENING", - "processes_listening": [ - ["CPU", "0.0.0.0", "5900"], - ["libvirtd", "", "::16509"], - ["master", "", ":1:25"], - ["neutron-o", "127.0.0.1", "6633"], - ["ovsdb-ser", "127.0.0.1", "6640"], - ["qemu-kvm", "0.0.0.0", "5900"], - ["vnc_worke", "0.0.0.0", "5900"], - ["worker", "0.0.0.0", "5900"] - ], - "processes_names": ["/usr/bin/", "CPU", "ceilomete", "gmain", "handler6", "libvirtd", "master", "neutron-o", "neutron-r", "nova-comp", "ovs-vswit", "ovsdb-cli", "ovsdb-ser", "pickup", "privsep-h", "qemu-kvm", "qmgr", "redhat-ac", "revalidat", "tuned", "urcu3", "virtlogd", "vnc_worke", "worker"], - "vulnerable_package": "openssl-libs-1.0.1e-42.el7_1.9" - }, - "id": 955802715, - "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_DROWN_LISTENING", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned CVE-2016-0800 and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.

\n", - "generic_html": "

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", - "more_info_html": "\n", - "severity": "ERROR", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_DROWN_LISTENING", - "error_key": "OPENSSL_CVE_2016_0800_DROWN_LISTENING", - "plugin": "CVE_2016_0800_openssl_drown", - "description": "OpenSSL with externally listening processes vulnerable to session decryption (CVE-2016-0800/DROWN)", - "summary": "A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800) and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.", - "generic": "A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.\n\nA more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see [CVE-2015-0293](https://access.redhat.com/security/cve/CVE-2015-0293)).", - "reason": "

This host is vulnerable because it has vulnerable package openssl-libs-1.0.1e-42.el7_1.9 installed.

\n

It also runs the following processes that use OpenSSL libraries:

\n
  • /usr/bin/
  • CPU
  • ceilomete
  • gmain
  • handler6
  • libvirtd
  • master
  • neutron-o
  • neutron-r
  • nova-comp
  • ovs-vswit
  • ovsdb-cli
  • ovsdb-ser
  • pickup
  • privsep-h
  • qemu-kvm
  • qmgr
  • redhat-ac
  • revalidat
  • tuned
  • urcu3
  • virtlogd
  • vnc_worke
  • worker
\n\n\n\n\n

The following processes that use OpenSSL libraries are listening on the sockets bound to public IP addresses:

\n
  • CPU (0.0.0.0)
  • libvirtd ()
  • master ()
  • qemu-kvm (0.0.0.0)
  • vnc_worke (0.0.0.0)
  • worker (0.0.0.0)
\n\n\n\n\n\n\n\n\n

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2174451", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:33.000Z", - "rec_impact": 3, - "rec_likelihood": 4, - "resolution": "

Red Hat recommends that you update openssl and restart the affected system:

\n
# yum update openssl\n# reboot\n

Alternatively, you can restart all affected services (that is, the ones linked to the openssl library), especially those listening on public IP addresses.

\n" - }, - "maintenance_actions": [{ - "done": false, - "id": 305225, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 306435, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "vulnerable_kernel": "3.10.0-327.el7", - "package_name": "kernel", - "error_key": "KERNEL_CVE_2016_5195_2" - }, - "id": 955802725, - "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195_2", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.

\n", - "generic_html": "

A race condition was found in the way Linux kernel's memory subsystem handled breakage of the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.

\n

A process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild.

\n

Red Hat recommends that you update the kernel package.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195_2", - "error_key": "KERNEL_CVE_2016_5195_2", - "plugin": "CVE_2016_5195_kernel", - "description": "Kernel vulnerable to privilege escalation via permission bypass (CVE-2016-5195)", - "summary": "A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.", - "generic": "A race condition was found in the way Linux kernel's memory subsystem handled breakage of the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.\n\nA process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild. \n\nRed Hat recommends that you update the kernel package.\n", - "reason": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally have read-only access to and thus increase their privileges on the system.

\n

This host is affected because it is running kernel 3.10.0-327.el7.

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2016-5195](https://access.redhat.com/security/cve/CVE-2016-5195)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2706661", - "category": "Security", - "retired": false, - "reboot_required": true, - "publish_date": "2016-10-31T04:08:33.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 305235, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 306705, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "mitigation_conf": "no", - "sysctl_live_ack_limit": "100", - "package_name": "kernel", - "sysctl_live_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100", - "error_key": "KERNEL_CVE_2016_5696_URGENT", - "vulnerable_kernel": "3.10.0-327.el7", - "sysctl_conf_ack_limit": "100", - "sysctl_conf_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100 # Implicit default", - "mitigation_live": "no" - }, - "id": 955802735, - "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the RFC 5961 challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n", - "generic_html": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

Red Hat recommends that you update the kernel package or apply mitigations.

\n", - "more_info_html": "\n", - "severity": "ERROR", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", - "error_key": "KERNEL_CVE_2016_5696_URGENT", - "plugin": "CVE_2016_5696_kernel", - "description": "Kernel vulnerable to man-in-the-middle via payload injection", - "summary": "A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the [RFC 5961](https://tools.ietf.org/html/rfc5961) challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.", - "generic": "A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack ([RFC 5961](https://tools.ietf.org/html/rfc5961)) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack. \n\nRed Hat recommends that you update the kernel package or apply mitigations.", - "reason": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

This host is affected because it is running kernel 3.10.0-327.el7.

\n

Your currently loaded kernel configuration contains this setting:

\n
net.ipv4.tcp_challenge_ack_limit = 100\n

Your currently stored kernel configuration is:

\n
net.ipv4.tcp_challenge_ack_limit = 100  # Implicit default\n

There is currently no mitigation applied and your system is vulnerable.

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2016-5696](https://access.redhat.com/security/cve/CVE-2016-5696)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2438571", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:32.000Z", - "rec_impact": 4, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n

or

\n

Alternatively, this issue can be addressed by applying the following mitigations until the machine is restarted with the updated kernel package.

\n

Edit /etc/sysctl.conf file as root, add the mitigation configuration, and reload the kernel configuration:

\n
# echo "net.ipv4.tcp_challenge_ack_limit = 2147483647" >> /etc/sysctl.conf \n# sysctl -p\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 305245, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 306975, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 316055, - "maintenance_plan": { - "maintenance_id": 30575, - "name": "Fix the problem", - "description": null, - "start": null, - "end": null, - "created_by": "asdavis@redhat.com", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "kernel_left_fully_exploitable": true, - "vulnerable_kernel_version_release": "3.10.0-327.el7", - "kernel_kpatch_applied": false, - "kernel_vulnerable": true, - "glibc_left_fully_exploitable": true, - "vulnerable_glibc": { - "PACKAGE_NAMES": ["glibc"], - "PACKAGES": ["glibc-2.17-105.el7"] - }, - "kernel_stap_applied": false, - "error_key": "CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", - "vulnerable_kernel_name": "kernel", - "nothing_left_fully_exploitable": false, - "glibc_vulnerable": true - }, - "id": 955802745, - "rule_id": "CVE_2017_1000366_glibc|CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.

\n", - "generic_html": "

A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.

\n

If heap and stack memory regions are adjacent to each other, an attacker can use this flaw to jump over the heap/stack gap, cause controlled memory corruption on process stack or heap, and thus increase their privileges on the system.

\n

An attacker must have access to a local account on the system.

\n

Red Hat recommends that you update the kernel and glibc.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2017_1000366_glibc|CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", - "error_key": "CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", - "plugin": "CVE_2017_1000366_glibc", - "description": "Kernel and glibc vulnerable to local privilege escalation via stack and heap memory clash (CVE-2017-1000364 and CVE-2017-1000366)", - "summary": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned [CVE-2017-1000364](https://access.redhat.com/security/cve/CVE-2017-1000364) and [CVE-2017-1000366](https://access.redhat.com/security/cve/CVE-2017-1000366). An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.\n", - "generic": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.\n\nIf heap and stack memory regions are adjacent to each other, an attacker can use this flaw to jump over the heap/stack gap, cause controlled memory corruption on process stack or heap, and thus increase their privileges on the system. \n\nAn attacker must have access to a local account on the system.\n\nRed Hat recommends that you update the kernel and glibc.\n", - "reason": "

A flaw was found in kernel and glibc in the way memory is being allocated on the stack for user space binaries.

\n

The host is affected because it is running kernel-3.10.0-327.el7 and using glibc-2.17-105.el7.

\n", - "type": null, - "more_info": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/stackguard) and [CVE-2017-1000364](https://access.redhat.com/security/cve/CVE-2017-1000364) and [CVE-2017-1000366](https://access.redhat.com/security/cve/CVE-2017-1000366).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "active": true, - "node_id": null, - "category": "Security", - "retired": false, - "reboot_required": true, - "publish_date": "2017-06-19T15:00:00.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends updating the kernel and glibc packages and rebooting the system.

\n
# yum update kernel glibc\n# reboot\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 305255, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 307415, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "PACKAGE_NAMES": ["sudo"], - "PACKAGES": ["sudo-1.8.6p7-16.el7"], - "error_key": "CVE_2017_1000367_SUDO" - }, - "id": 955802755, - "rule_id": "CVE_2017_1000367_sudo|CVE_2017_1000367_SUDO", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A local privilege escalation flaw was found in sudo. A local user having sudo access on the system,\ncould use this flaw to execute arbitrary commands as root. This issue was reported as\nCVE-2017-1000367

\n", - "generic_html": "

A local privilege escalation flaw was found in sudo. All versions of sudo package shipped with RHEL 5, 6 and 7 are vulnerable\nto a local privilege escalation vulnerability. A flaw was found in the way get_process_ttyname() function obtained\ninformation about the controlling terminal of the sudo process from the status file in the proc filesystem.\nThis allows a local user who has any level of sudo access on the system to execute arbitrary commands as root or\nin certain conditions escalate his privileges to root.

\n

Red Hat recommends that you update update the sudo package.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": true, - "ansible_mitigation": false, - "rule_id": "CVE_2017_1000367_sudo|CVE_2017_1000367_SUDO", - "error_key": "CVE_2017_1000367_SUDO", - "plugin": "CVE_2017_1000367_sudo", - "description": "sudo vulnerable to local privilege escalation via process TTY name parsing (CVE-2017-1000367)", - "summary": "A local privilege escalation flaw was found in `sudo`. A local user having sudo access on the system,\ncould use this flaw to execute arbitrary commands as root. This issue was reported as\n[CVE-2017-1000367](https://access.redhat.com/security/cve/CVE-2017-1000367)", - "generic": "A local privilege escalation flaw was found in `sudo`. All versions of sudo package shipped with RHEL 5, 6 and 7 are vulnerable\nto a local privilege escalation vulnerability. A flaw was found in the way `get_process_ttyname()` function obtained\ninformation about the controlling terminal of the sudo process from the status file in the proc filesystem.\nThis allows a local user who has any level of sudo access on the system to execute arbitrary commands as root or\nin certain conditions escalate his privileges to root.\n\nRed Hat recommends that you update update the `sudo` package.\n", - "reason": "

This machine is vulnerable because it has vulnerable sudo package sudo-1.8.6p7-16.el7 installed.

\n", - "type": null, - "more_info": "* For more information about the remote code execution flaw [CVE-2017-1000367](https://access.redhat.com/security/cve/CVE-2017-1000367) see [knowledge base article](https://access.redhat.com/security/vulnerabilities/3059071).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* To better understand [sudo](https://www.sudo.ws/), see [Sudo in a Nutshell](https://www.sudo.ws/intro.html)\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "active": true, - "node_id": "3059071", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2017-05-30T13:30:00.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update the sudo package.

\n
# yum update sudo\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 305265, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 308075, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "mod_loading_disabled": false, - "package_name": "kernel", - "error_key": "KERNEL_CVE_2017_2636", - "vulnerable_kernel": "3.10.0-327.el7", - "mod_loaded": false, - "mitigation_info": true - }, - "id": 955802765, - "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as CVE-2017-2636.

\n", - "generic_html": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.

\n

An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.

\n

An attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.

\n

Red Hat recommends that you use the proposed mitigation to disable the N_HDLC module.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", - "error_key": "KERNEL_CVE_2017_2636", - "plugin": "CVE_2017_2636_kernel", - "description": "Kernel vulnerable to local privilege escalation via n_hdlc module (CVE-2017-2636)", - "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636).\n", - "generic": "A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.\n\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.\n\nAn attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.\n\nRed Hat recommends that you use the proposed mitigation to disable the N_HDLC module.\n", - "reason": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation.

\n

This host is affected because it is running kernel 3.10.0-327.el7.

\n", - "type": null, - "more_info": "* For more information about the flaw, see [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636) and [CVE-2017-2636 article](https://access.redhat.com/security/vulnerabilities/CVE-2017-2636).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "active": true, - "node_id": null, - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2017-05-16T12:00:00.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends updating the kernel package and rebooting the system.

\n
# yum update kernel\n# reboot\n

Alternatively, apply one of the following mitigations:

\n

Disable loading of N_HDLC kernel module:

\n
# echo "install n_hdlc /bin/true" >> /etc/modprobe.d/disable-n_hdlc.conf\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 305275, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 308675, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }, { - "details": { - "kvr": "3.10.0-327.el7", - "error_key": "IPMI_LIST_CORRUPTION_CRASH" - }, - "id": 955826995, - "rule_id": "ipmi_list_corruption_crash|IPMI_LIST_CORRUPTION_CRASH", - "system_id": "11111111-1111-1111-1111-111111111111", - "account_number": "1111111", - "uuid": "11111111111111111111111111111111", - "date": "2017-07-21T07:07:29.000Z", - "rule": { - "summary_html": "

Kernel occasionally panics when running ipmitool command due to a bug in the ipmi message handler.

\n", - "generic_html": "

Kernel occasionally panics when running ipmitool due to a bug in the ipmi message handler.

\n", - "more_info_html": "

For how to upgrade the kernel to a specific version, refer to How do I upgrade the kernel to a particular version manually?.

\n", - "severity": "WARN", - "ansible": false, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "ipmi_list_corruption_crash|IPMI_LIST_CORRUPTION_CRASH", - "error_key": "IPMI_LIST_CORRUPTION_CRASH", - "plugin": "ipmi_list_corruption_crash", - "description": "Kernel panic occurs when running ipmitool command with specific kernels", - "summary": "Kernel occasionally panics when running `ipmitool` command due to a bug in the ipmi message handler.\n", - "generic": "Kernel occasionally panics when running `ipmitool` due to a bug in the ipmi message handler.\n", - "reason": "

This host is running kernel 3.10.0-327.el7 with the IPMI management tool installed.\nKernel panics can occur when running ipmitool.

\n", - "type": null, - "more_info": "For how to upgrade the kernel to a specific version, refer to [How do I upgrade the kernel to a particular version manually?](https://access.redhat.com/solutions/161803).\n", - "active": true, - "node_id": "2690791", - "category": "Stability", - "retired": false, - "reboot_required": true, - "publish_date": null, - "rec_impact": 3, - "rec_likelihood": 1, - "resolution": "

Red Hat recommends that you complete the following steps to fix this issue:

\n
    \n\n
  1. Upgrade kernel to the version 3.10.0-327.36.1.el7 or later:
    2. \n\n\n# yum update kernel\n\n
  2. Restart the host with the new kernel.
    3. \n\n# reboot\n\n
\n" - }, - "maintenance_actions": [{ - "done": false, - "id": 305285, - "maintenance_plan": { - "maintenance_id": 29315, - "name": "RHEL Demo Infrastructure", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }, { - "done": false, - "id": 310145, - "maintenance_plan": { - "maintenance_id": 29335, - "name": "RHEL Demo All Systems", - "description": null, - "start": null, - "end": null, - "created_by": "$READACTED$", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null, - "allow_reboot": true - } - }] - }] + "id": 1679900, + "system_uuid": "$REDACTED$", + "account": "$REDACTED$", + "system_type": 105, + "checked_on": "2019-03-19T21:59:09.213151-04:00", + "active_reports": [ + { + "id": 16923675, + "rule": { + "id": 46, + "created_at": "2019-02-07T14:02:34.379375-05:00", + "updated_at": "2019-03-12T11:45:28.804999-04:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" + }, + "rule_id": "CVE_2017_5715_cpu_virt|VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL", + "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)", + "active": true, + "category": { + "id": 2, + "name": "Security" + }, + "impact": { + "name": "Information Disclosure", + "impact": 3 + }, + "likelihood": 2, + "node_id": "3244101", + "tags": "security kernel CVE", + "reboot_required": true, + "publish_date": "2018-01-17T12:00:00-05:00", + "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5715).\n", + "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n", + "reason": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel and has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine is vulnerable, because it has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}\n\n\n{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine has a particular family of an AMD processor for which there exists an updated version of Dracut. Dracut is a low-level software for generating an initramfs/initrd image that, among other tasks, selects the appropriate processor microcode to use. It is possible, but not guaranteed, that after updating the affected Dracut packages, the appropriate microcode will be selected to enable the protections for Variant 2 of this issue.\n\n{{?}}\nAn unprivileged attacker could use the vulnerability to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n", + "more_info": "* For more information about the flaw, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution) and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 105, + "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 + }, + "has_playbook": true + } + ], + "total_risk": 2 + }, + "details": { + "type": "rule", + "cves_fail": [ + "CVE-2017-5715" + ], + "cves_pass": [], + "error_key": "VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL", + "kernel_pkg_name": "kernel", + "affected_amd_family": false + }, + "resolution": { + "system_type": 105, + "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 + }, + "has_playbook": true + } + }, + { + "id": 16923676, + "rule": { + "id": 49, + "created_at": "2019-02-07T14:02:34.410515-05:00", + "updated_at": "2019-03-12T11:45:28.875932-04:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" + }, + "rule_id": "CVE_2017_5753_4_cpu_kernel|KERNEL_CVE_2017_5753_4_CPU_ERROR_3", + "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)", + "active": true, + "category": { + "id": 2, + "name": "Security" + }, + "impact": { + "name": "Information Disclosure", + "impact": 3 + }, + "likelihood": 2, + "node_id": "3244101", + "tags": "security kernel CVE", + "reboot_required": true, + "publish_date": "2018-01-22T12:00:00-05:00", + "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5753 / CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5753) and [CVE-2017-5754 / Meltdown](https://access.redhat.com/security/cve/CVE-2017-5754).\n", + "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n\nMitigations for these vulnerabilities additionally require firmware/microcode updates from hardware vendors.\n", + "reason": "This system is vulnerable to the following variant(s):\n\n{{? pydata.problems.v1_vulnerable}}* Variant 1 (Spectre/CVE-2017-5753)\n{{?}}{{? pydata.problems.v2_vulnerable}}* Variant 2 (Spectre/CVE-2017-5715)\n{{?}}{{? pydata.problems.v3_vulnerable}}* Variant 3 (Meltdown/CVE-2017-5754)\n{{?}}\n\n{{ var factors_contributing_displayed = (!pydata.problems.kernel_supports_features || !pydata.problems.firmware_supports_features || pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled) ; }}{{? factors_contributing_displayed }}Factors contributing to these vulnerabilities are:\n\n{{? !pydata.problems.kernel_supports_features}}* This system's kernel needs updating.\n{{?}}{{? !pydata.problems.firmware_supports_features}}* This system needs a firmware update.\n{{?}}{{? pydata.problems.pti_cmdline_disabled}}* PTI has been disabled by the `nopti` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled}}* IBPB has been disabled by the `noibpb` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_spectre_v2_disabled}}* IBPB has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled}}* IBRS has been disabled by the `noibrs` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_spectre_v2_disabled}}* IBRS has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled}}* RFI flush has been disabled by the `no_rfi_flush` kernel argument.\n{{?}}{{?}}\n\n{{? ( pydata.sysfs_vuln_md && (pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1)) || ( pydata.sysfs_vuln_s2 && (/Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1)) }}{{? factors_contributing_displayed }}Additional details:{{??}}Factors contributing to these vulnerabilities are:{{?}}\n\n{{? pydata.sysfs_vuln_md }}{{? pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1 }}* The CPU is vulnerable to Variant 3 (Meltdown/CVE-2017-5754) and PTI is disabled.\n{{?}}{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* The kernel has been compiled with an old version of the `gcc` compiler that doesn't support retpolines, so the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 }}* The CPU has vulnerable microcode, so the kernel can't use IBPB to mitigate Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* The CPU is Intel Skylake with updated microcode or newer, but retpolines are enabled. This type of CPU requires that IBRS is enabled and retpolines are disabled. The system is vulnerable to Variant 2 (Spectre/CVE-2017-5715) as a result.\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* A kernel module is loaded that has been compiled with a compiler without retpoline support. As a result, the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{?}}{{?}}\n\n{{? !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}Some diagnostic information was unavailable to Insights.{{?}}\n{{? !pydata.debugfs_available }}* `debugfs` information was not available. {{? pydata.dmesg_available }}Feature settings were inferred from `dmesg` and known vendor defaults.{{??}}`dmesg` information is also unavailable, so it isn't possible to determine which mitigations are available.{{?}}\n{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln }}* `/sys/devices/system/cpu/vulnerabilities` was not available to Insights, even though the kernel provides it.\n{{?}}\n\n", + "more_info": "* For more information about the flaws, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution), [CVE-2017-5754](https://access.redhat.com/security/cve/CVE-2017-5754), [CVE-2017-5753](https://access.redhat.com/security/cve/CVE-2017-5753), and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751).\n* For information related to VMs, see [How do I enable Markdown/Spectre mitigations in my virtualised machines?](https://access.redhat.com/articles/3331571)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* More information about performance impact of the mitigations can be found in the [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751) knowledgebase article.\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 105, + "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 + }, + "has_playbook": true + } + ], + "total_risk": 2 + }, + "details": { + "mfr": "Intel", + "type": "rule", + "virtual": "kvm", + "problems": { + "v1_vulnerable": false, + "v2_vulnerable": true, + "v3_vulnerable": false, + "pti_cmdline_disabled": false, + "ibpb_cmdline_disabled": false, + "ibrs_cmdline_disabled": false, + "kernel_supports_features": true, + "firmware_supports_features": false, + "rfi_flush_cmdline_disabled": false, + "spectre_v2_disabling_cmdline": null, + "ibpb_cmdline_spectre_v2_disabled": false, + "ibrs_cmdline_spectre_v2_disabled": false + }, + "cves_fail": [ + "CVE-2017-5715" + ], + "cves_pass": [ + "CVE-2017-5753", + "CVE-2017-5754" + ], + "error_key": "KERNEL_CVE_2017_5753_4_CPU_ERROR_3", + "package_name": "kernel", + "dmesg_wrapped": false, + "release_major": "7", + "sysfs_vuln_md": "Mitigation: PTI", + "sysfs_vuln_s1": "Mitigation: Load fences, __user pointer sanitization", + "sysfs_vuln_s2": "Vulnerable: Retpoline without IBPB", + "running_kernel": "3.10.0-862.14.4.el7.x86_64", + "dmesg_available": true, + "debugfs_available": true, + "old_specs_on_client": false, + "retpo_kernel_but_no_sys_cpu_vuln": false + }, + "resolution": { + "system_type": 105, + "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 + }, + "has_playbook": true + } + }, + { + "id": 16923673, + "rule": { + "id": 72, + "created_at": "2019-02-07T14:02:34.653624-05:00", + "updated_at": "2019-03-12T11:45:29.372525-04:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" + }, + "rule_id": "CVE_2018_3639_cpu_kernel|CVE_2018_3639_CPU_BAD_MICROCODE", + "description": "Kernel vulnerable to side-channel attacks in modern microprocessors using Speculative Store Bypass when CPU microcode is outdated (CVE-2018-3639)", + "active": true, + "category": { + "id": 2, + "name": "Security" + }, + "impact": { + "name": "Local Privilege Escalation", + "impact": 2 + }, + "likelihood": 2, + "node_id": "3448801", + "tags": "security", + "reboot_required": true, + "publish_date": "2018-05-21T21:00:00-04:00", + "summary": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. It has been assigned [CVE-2018-3639](https://access.redhat.com/security/cve/CVE-2018-3639). Mitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible.\n", + "generic": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. The flaw is similar to CVE-2017-5753 (aka \"Spectre v1\"), except it leverages Speculative Store Bypass memory optimization in place of the Branch Misprediction used by Spectre v1.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible, e.g. to memory outside of a sandboxed environments like web browsers or JIT execution runtimes.\n\nMitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nRed Hat recommends that you update the kernel and update firmware.\n", + "reason": "The system is vulnerable because:\n\n* CPU microcode requires an update\n", + "more_info": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/ssbd).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 105, + "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Hardware Vendor Firmware Update", + "risk": 3 + }, + "has_playbook": false + } + ], + "total_risk": 2 + }, + "details": { + "rt": false, + "type": "rule", + "virtual": "kvm", + "cmd_avail": true, + "cves_fail": [ + "CVE-2018-3639" + ], + "cves_pass": [], + "error_key": "CVE_2018_3639_CPU_BAD_MICROCODE", + "running_kernel": "3.10.0-862.14.4.el7.x86_64", + "vuln_file_present": true + }, + "resolution": { + "system_type": 105, + "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Hardware Vendor Firmware Update", + "risk": 3 + }, + "has_playbook": false + } + }, + { + "id": 16923678, + "rule": { + "id": 193, + "created_at": "2019-02-07T14:02:35.803497-05:00", + "updated_at": "2019-02-07T14:02:35.803513-05:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" + }, + "rule_id": "hardening_httpd_pci_dss|HARDENING_HTTPD_PCI_DSS", + "description": "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)", + "active": true, + "category": { + "id": 2, + "name": "Security" + }, + "impact": { + "name": "Hardening", + "impact": 1 + }, + "likelihood": 1, + "node_id": "", + "tags": "httpd hardening security", + "reboot_required": false, + "publish_date": "2018-10-20T00:00:00-04:00", + "summary": "PCI Data Security Standard [mandates disabling](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls) TLS versions older than 1.1 for safeguarding payment data.\n", + "generic": "These hosts are running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n\nRed Hat recommends that you change your httpd/Apache configuration files. Select a host to see the host-specific details that need to be updated within the httpd/Apache configuration.\n", + "reason": "This host is running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n", + "more_info": "* For more information about the new PCI DSS rules, see [the article](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls)\n* [How do I globally disable TLSv1.0 on my RHEL server?](https://access.redhat.com/solutions/2157131)\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 19, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.ssl_protocols: ssl}}\n
  • `{{=ssl[0]}}` - `{{=ssl[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.nss_protocols: nss}}\n
  • `{{=nss[0]}}` - `{{=nss[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\nMake the changes permanent in the container image by using the **docker commit** command at the next container shutdown.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + }, + { + "system_type": 105, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + }, + { + "system_type": 29, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.ssl_protocols: ssl}}\n
  • `{{=ssl[0]}}` - `{{=ssl[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.nss_protocols: nss}}\n
  • `{{=nss[0]}}` - `{{=nss[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nMake the changes permanent in the image by using the **docker commit** command.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + ], + "total_risk": 1 + }, + "details": { + "type": "rule", + "error_key": "HARDENING_HTTPD_PCI_DSS", + "nss_protocols": [ + [ + "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2", + "/etc/httpd/conf.d/nss.conf" + ] + ], + "scl_installed": false, + "ssl_protocols": null + }, + "resolution": { + "system_type": 105, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + }, + { + "id": 16923677, + "rule": { + "id": 235, + "created_at": "2019-02-07T14:02:36.236195-05:00", + "updated_at": "2019-02-11T15:21:37.409742-05:00", + "ruleset": { + "created_at": "2018-05-21T22:00:51-04:00", + "updated_at": "2018-05-21T22:00:51-04:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-plugins", + "description": "Advisor" + }, + "rule_id": "httpd24_deprecated_order|DEPRECATED_ORDER_USED_INFO_V1", + "description": "Unexpected behavior when using deprecated access control directives in httpd 2.4", + "active": true, + "category": { + "id": 1, + "name": "Availability" + }, + "impact": { + "name": "Invalid Configuration", + "impact": 1 + }, + "likelihood": 3, + "node_id": "", + "tags": "sbr_webservers webservers httpd", + "reboot_required": false, + "publish_date": "2018-05-30T20:39:00-04:00", + "summary": "The httpd service does not work as expected when using old directives in httpd-2.4.\n", + "generic": "Access control is using deprecated directives (\"Order\", \"Allow\" and \"Deny\") provided by `mod_authz_compat` which has been replaced by `mod_authz_host` in **httpd 2.4**.\n", + "reason": "This host is running **{{=pydata.ver}}** and using the following old directives (`Order`, `Allow` or `Deny`) which have been deprecated:\n\n{{ for (var _sec in pydata.dep_conf) { }}\n* Section `<{{=_sec}}>`\n {{ for (var file in pydata.dep_conf[_sec]) { }} * Configuration file `{{=file}}`\n ```text {{ for (var dir in pydata.dep_conf[_sec][file]) { }}\n {{=pydata.dep_conf[_sec][file][dir]}} {{ } }}\n ```\n {{ } }}\n{{ } }}\n", + "more_info": "", + "resolution_set": [ + { + "system_type": 105, + "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + ], + "total_risk": 2 + }, + "details": { + "ver": "httpd-2.4.6-80.el7", + "type": "rule", + "dep_conf": { + "Location /KdcProxy": { + "/etc/httpd/conf.d/ipa-kdc-proxy.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + }, + "Directory /usr/share/fonts": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Directory /usr/share/ipa/ui": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Directory /usr/share/ipa/html": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Directory /usr/share/ipa/wsgi": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Location /ipa/session/sync_token": { + "/etc/httpd/conf.d/ipa.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + }, + "Directory /usr/share/ipa/migration": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Location /ipa/session/login_password": { + "/etc/httpd/conf.d/ipa.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + }, + "Directory /var/lib/ipa/pki-ca/publish": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Location /ipa/session/change_password": { + "/etc/httpd/conf.d/ipa.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + } + }, + "error_key": "DEPRECATED_ORDER_USED_INFO_V1" + }, + "resolution": { + "system_type": 105, + "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + } + ] } diff --git a/awx/main/tests/unit/utils/test_insights.py b/awx/main/tests/unit/utils/test_insights.py index fe160e666f..96351338b7 100644 --- a/awx/main/tests/unit/utils/test_insights.py +++ b/awx/main/tests/unit/utils/test_insights.py @@ -9,16 +9,17 @@ from awx.main.tests.data.insights import TEST_INSIGHTS_PLANS def test_filter_insights_api_response(): actual = filter_insights_api_response(TEST_INSIGHTS_PLANS) - assert actual['last_check_in'] == '2017-07-21T07:07:29.000Z' - assert len(actual['reports']) == 9 - assert actual['reports'][0]['maintenance_actions'][0]['maintenance_plan']['name'] == "RHEL Demo Infrastructure" - assert actual['reports'][0]['maintenance_actions'][0]['maintenance_plan']['maintenance_id'] == 29315 - assert actual['reports'][0]['rule']['severity'] == 'ERROR' - assert actual['reports'][0]['rule']['description'] == 'Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)' - assert actual['reports'][0]['rule']['category'] == 'Security' - assert actual['reports'][0]['rule']['summary'] == ("A critical security flaw in the `glibc` library was found. " - "It allows an attacker to crash an application built against " - "that library or, potentially, execute arbitrary code with " - "privileges of the user running the application.") - assert actual['reports'][0]['rule']['ansible_fix'] is False + assert actual['last_check_in'] == '2019-03-19T21:59:09.213151-04:00' + assert len(actual['reports']) == 5 + assert len(actual['reports'][0]['maintenance_actions']) == 0 + rule = actual['reports'][0]['rule'] + assert rule['severity'] == 'WARN' + assert rule['description'] == ( + "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)") + assert rule['category'] == 'Security' + assert rule['summary'] == ( + "A vulnerability was discovered in modern microprocessors supported by the kernel," + " whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read" + " access to privileged memory.\nThe issue was reported as [CVE-2017-5715 / Spectre]" + "(https://access.redhat.com/security/cve/CVE-2017-5715).\n") diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py index 4e77b105f1..f65cecb4e8 100644 --- a/awx/main/utils/insights.py +++ b/awx/main/utils/insights.py @@ -38,9 +38,9 @@ def filter_insights_api_response(json): if k in rule: new_report['rule'][k] = rule[k] if 'category' in rule: - new_report['category'] = rule['category']['name'] + new_report['rule']['category'] = rule['category']['name'] if rule.get('total_risk') in severity_mapping: - new_report['severity'] = severity_mapping[rule['total_risk']] + new_report['rule']['severity'] = severity_mapping[rule['total_risk']] new_json['reports'].append(new_report) From af2484cd97e3ea8670f5a673fcddf02f689b278f Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Thu, 28 Mar 2019 11:26:39 -0400 Subject: [PATCH 07/34] Update the Insights API urls to use the new url structure --- awx/api/views/__init__.py | 4 ++-- awx/playbooks/action_plugins/insights.py | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 7e564082bf..9068629a5e 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1694,14 +1694,14 @@ class HostInsights(GenericAPIView): (username, password) = self._extract_insights_creds(cred) - host_url = '{}/r/insights/platform/inventory/api/v1/hosts?insights_id={}'.format( + host_url = '{}/api/inventory/v1/hosts?insights_id={}'.format( settings.INSIGHTS_URL_BASE, host.insights_system_id) res = self._call_insights_api(host_url, username, password) if isinstance(res, tuple): # This value was constructed based on a bad response from the API. return Response(res[0], status=res[1]) platform_id = res.json()['results'][0]['id'] - reports_url = '{}/r/insights/platform/advisor/v1/system/{}/reports/'.format( + reports_url = '{}/api/insights/v1/system/{}/reports/'.format( settings.INSIGHTS_URL_BASE, platform_id) (msg, err_code) = self.get_insights(reports_url, username, password) return Response(msg, status=err_code) diff --git a/awx/playbooks/action_plugins/insights.py b/awx/playbooks/action_plugins/insights.py index 26fd4cd754..5cb19b45cf 100644 --- a/awx/playbooks/action_plugins/insights.py +++ b/awx/playbooks/action_plugins/insights.py @@ -54,9 +54,7 @@ class ActionModule(ActionBase): license ) } - - - url = '{}/r/insights/platform/remediations/v1/remediations?sort=-updated_at'.format(insights_url) + url = '{}/api/remediations/v1/remediations?sort=-updated_at'.format(insights_url) res = session.get(url, headers=headers, timeout=120) @@ -81,7 +79,7 @@ class ActionModule(ActionBase): return result for item in res.json()['remediations']: - url = '{}/r/insights/platform/remediations/v1/remediations/{}/playbook'.format( + url = '{}/api/remediations/v1/remediations/{}/playbook'.format( insights_url, item['id']) res = session.get(url, timeout=120) if res.status_code != 200: From 63209197ddc6acc622b5bc6bae04a2a5506de098 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Fri, 5 Apr 2019 14:48:20 -0400 Subject: [PATCH 08/34] Iterate over the pages of remediations available --- awx/playbooks/action_plugins/insights.py | 68 +++++++++++++----------- 1 file changed, 36 insertions(+), 32 deletions(-) diff --git a/awx/playbooks/action_plugins/insights.py b/awx/playbooks/action_plugins/insights.py index 5cb19b45cf..3a465f3c5d 100644 --- a/awx/playbooks/action_plugins/insights.py +++ b/awx/playbooks/action_plugins/insights.py @@ -19,9 +19,8 @@ class ActionModule(ActionBase): def is_stale(self, proj_path, etag): file_path = os.path.join(proj_path, '.version') try: - f = open(file_path, 'r') - version = f.read() - f.close() + with open(file_path, 'r') as f: + version = f.read() return version != etag except IOError: return True @@ -32,7 +31,6 @@ class ActionModule(ActionBase): f.write(etag) def run(self, tmp=None, task_vars=None): - self._supports_check_mode = False result = super(ActionModule, self).run(tmp, task_vars) @@ -54,34 +52,10 @@ class ActionModule(ActionBase): license ) } - url = '{}/api/remediations/v1/remediations?sort=-updated_at'.format(insights_url) + url = '/api/remediations/v1/remediations' + while url: + res = session.get('{}{}'.format(insights_url, url), headers=headers, timeout=120) - res = session.get(url, headers=headers, timeout=120) - - if res.status_code != 200: - result['failed'] = True - result['msg'] = ( - 'Expected {} to return a status code of 200 but returned status ' - 'code "{}" instead with content "{}".'.format(url, res.status_code, res.content) - ) - return result - - if 'ETag' in res.headers: - version = res.headers['ETag'] - if version.startswith('"') and version.endswith('"'): - version = version[1:-1] - else: - version = "ETAG_NOT_FOUND" - - if not self.is_stale(proj_path, version): - result['changed'] = False - result['version'] = version - return result - - for item in res.json()['remediations']: - url = '{}/api/remediations/v1/remediations/{}/playbook'.format( - insights_url, item['id']) - res = session.get(url, timeout=120) if res.status_code != 200: result['failed'] = True result['msg'] = ( @@ -89,7 +63,37 @@ class ActionModule(ActionBase): 'code "{}" instead with content "{}".'.format(url, res.status_code, res.content) ) return result - self.save_playbook(proj_path, item, res.content) + + # FIXME: ETags are (maybe?) not yet supported in the new + # API, and even if they are we'll need to put some thought + # into how to deal with them in combination with pagination. + if 'ETag' in res.headers: + version = res.headers['ETag'] + if version.startswith('"') and version.endswith('"'): + version = version[1:-1] + else: + version = "ETAG_NOT_FOUND" + + if not self.is_stale(proj_path, version): + result['changed'] = False + result['version'] = version + return result + + url = res.json()['links']['next'] # will be None if we're on the last page + + for item in res.json()['remediations']: + playbook_url = '{}/api/remediations/v1/remediations/{}/playbook'.format( + insights_url, item['id']) + res = session.get(playbook_url, timeout=120) + if res.status_code != 200: + result['failed'] = True + result['msg'] = ( + 'Expected {} to return a status code of 200 but returned status ' + 'code "{}" instead with content "{}".'.format( + playbook_url, res.status_code, res.content) + ) + return result + self.save_playbook(proj_path, item, res.content) self.write_version(proj_path, version) From 596a5173cea91d8b74bb1f7c8f975ac4b14c09ae Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 8 Apr 2019 16:36:26 -0400 Subject: [PATCH 09/34] Modify filter_insights_api_response to take in the separate remediations since it is accumulated via a different API call. --- awx/main/tests/data/insights.py | 4 ++- .../tests/data/insights_remediations.json | 33 +++++++++++++++++++ awx/main/tests/unit/utils/test_insights.py | 7 ++-- awx/main/utils/insights.py | 14 ++++---- .../inventories/insights/plan-filter.js | 4 +-- 5 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 awx/main/tests/data/insights_remediations.json diff --git a/awx/main/tests/data/insights.py b/awx/main/tests/data/insights.py index 325dff7ba8..6fdca9540a 100644 --- a/awx/main/tests/data/insights.py +++ b/awx/main/tests/data/insights.py @@ -5,5 +5,7 @@ import os dir_path = os.path.dirname(os.path.realpath(__file__)) with open(os.path.join(dir_path, 'insights.json')) as data_file: - TEST_INSIGHTS_PLANS = json.loads(data_file.read()) + TEST_INSIGHTS_PLANS = json.load(data_file) +with open(os.path.join(dir_path, 'insights_remediations.json')) as data_file: + TEST_INSIGHTS_REMEDIATIONS = json.load(data_file)['data'] diff --git a/awx/main/tests/data/insights_remediations.json b/awx/main/tests/data/insights_remediations.json new file mode 100644 index 0000000000..17a2fb1541 --- /dev/null +++ b/awx/main/tests/data/insights_remediations.json @@ -0,0 +1,33 @@ +{ + "data": [ + { + "id": "9197ba55-0abc-4028-9bbe-269e530f8bd5", + "name": "Fix Critical CVEs", + "created_by": { + "username": "jharting@redhat.com", + "first_name": "Jozef", + "last_name": "Hartinger" + }, + "created_at": "2018-12-05T08:19:36.641Z", + "updated_by": { + "username": "jharting@redhat.com", + "first_name": "Jozef", + "last_name": "Hartinger" + }, + "updated_at": "2018-12-05T08:19:36.641Z", + "issue_count": 0, + "system_count": 0, + "needs_reboot": true + } + ], + "meta": { + "count": 0, + "total": 0 + }, + "links": { + "first": null, + "last": null, + "next": null, + "previous": null + } +} diff --git a/awx/main/tests/unit/utils/test_insights.py b/awx/main/tests/unit/utils/test_insights.py index 96351338b7..72de5018bc 100644 --- a/awx/main/tests/unit/utils/test_insights.py +++ b/awx/main/tests/unit/utils/test_insights.py @@ -3,15 +3,16 @@ from awx.main.utils.insights import filter_insights_api_response -from awx.main.tests.data.insights import TEST_INSIGHTS_PLANS +from awx.main.tests.data.insights import TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS def test_filter_insights_api_response(): - actual = filter_insights_api_response(TEST_INSIGHTS_PLANS) + actual = filter_insights_api_response(TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS) assert actual['last_check_in'] == '2019-03-19T21:59:09.213151-04:00' assert len(actual['reports']) == 5 - assert len(actual['reports'][0]['maintenance_actions']) == 0 + assert len(actual['reports'][0]['maintenance_actions']) == 1 + assert actual['reports'][0]['maintenance_actions'][0]['name'] == "Fix Critical CVEs" rule = actual['reports'][0]['rule'] assert rule['severity'] == 'WARN' diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py index f65cecb4e8..d4b4cf0d25 100644 --- a/awx/main/utils/insights.py +++ b/awx/main/utils/insights.py @@ -11,11 +11,11 @@ # reports[].rule.severity (str) -> active_reports[].rule.total_risk (int) # reports[].rule.{ansible,ansible_fix} appears to be unused -# reports[].maintenance_actions[] missing entirely, will be provided +# reports[].maintenance_actions[] missing entirely, is now provided # by a different Insights endpoint -def filter_insights_api_response(json): +def filter_insights_api_response(reports, remediations): severity_mapping = { 1: 'INFO', 2: 'WARN', @@ -24,14 +24,14 @@ def filter_insights_api_response(json): } new_json = {} - if 'checked_on' in json: - new_json['last_check_in'] = json['checked_on'] - if 'active_reports' in json: + if 'checked_on' in reports: + new_json['last_check_in'] = reports['checked_on'] + if 'active_reports' in reports: new_json['reports'] = [] - for rep in json['active_reports']: + for rep in reports['active_reports']: new_report = { 'rule': {}, - 'maintenance_actions': [] # This will be populated by a different API call + 'maintenance_actions': remediations } rule = rep.get('rule') or {} for k in ['description', 'summary']: diff --git a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js index 40916cd5ec..5c404acaaf 100644 --- a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js +++ b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js @@ -9,8 +9,8 @@ if(plan === null || plan === undefined){ return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS"; } else { - let name = (plan.maintenance_plan.name === null) ? "Unnamed Plan" : plan.maintenance_plan.name; - return `${name} (${plan.maintenance_plan.maintenance_id})`; + let name = (plan.name === null) ? "Unnamed Plan" : plan.name; + return `${name} (${plan.id})`; } }; } From a97865de0c28c466e075a78c876f2af2e24e4964 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 8 Apr 2019 16:44:21 -0400 Subject: [PATCH 10/34] Refactor HostInsights for better reuse of the error handling of the Insights API calls. --- awx/api/views/__init__.py | 132 ++++++++++++++--------- awx/main/tests/unit/api/test_views.py | 97 ----------------- awx/playbooks/action_plugins/insights.py | 2 +- 3 files changed, 83 insertions(+), 148 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 9068629a5e..f88995b53e 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -31,7 +31,7 @@ from django.utils.translation import ugettext_lazy as _ # Django REST Framework -from rest_framework.exceptions import PermissionDenied, ParseError +from rest_framework.exceptions import APIException, PermissionDenied, ParseError from rest_framework.parsers import FormParser from rest_framework.permissions import AllowAny, IsAuthenticated from rest_framework.renderers import JSONRenderer, StaticHTMLRenderer @@ -1613,17 +1613,57 @@ class HostActivityStreamList(SubListAPIView): return qs.filter(Q(host=parent) | Q(inventory=parent.inventory)) +class BadGateway(APIException): + status_code = status.HTTP_502_BAD_GATEWAY + default_detail = '' + default_code = 'bad_gateway' + + +class GatewayTimeout(APIException): + status_code = status.HTTP_504_GATEWAY_TIMEOUT + default_detail = '' + default_code = 'gateway_timeout' + + class HostInsights(GenericAPIView): model = models.Host serializer_class = serializers.EmptySerializer - def _extract_insights_creds(self, credential): - return (credential.get_input('username', default=''), credential.get_input('password', default='')) + def _call_insights_api(self, url, session, headers): + try: + res = session.get(url, headers=headers, timeout=120) + except requests.exceptions.SSLError: + raise BadGateway(_('SSLError while trying to connect to {}').format(url)) + except requests.exceptions.Timeout: + raise GatewayTimeout(_('Request to {} timed out.').format(url)) + except requests.exceptions.RequestException as e: + raise BadGateway(_('Unknown exception {} while trying to GET {}').format(e, url)) - def _get_insights(self, url, username, password): + if res.status_code == 401: + raise BadGateway( + _('Unauthorized access. Please check your Insights Credential username and password.')) + elif res.status_code != 200: + raise BadGateway( + _( + 'Failed to access the Insights API at URL {}.' + ' Server responded with {} status code and message {}' + ).format(url, res.status_code, res.content) + ) + + try: + return res.json() + except ValueError: + raise BadGateway( + _('Expected JSON response from Insights but instead got {}').format(res.content)) + + def _get_session(self, username, password): session = requests.Session() session.auth = requests.auth.HTTPBasicAuth(username, password) + + return session + + def _get_headers(self): license = get_license(show_key=False).get('license_type', 'UNLICENSED') headers = { 'Content-Type': 'application/json', @@ -1633,46 +1673,43 @@ class HostInsights(GenericAPIView): license ) } - return session.get(url, headers=headers, timeout=120) - def _call_insights_api(self, url, username, password): - try: - res = self._get_insights(url, username, password) - except requests.exceptions.SSLError: - return (dict(error=_('SSLError while trying to connect to {}').format(url)), - status.HTTP_502_BAD_GATEWAY) - except requests.exceptions.Timeout: - return (dict(error=_('Request to {} timed out.').format(url)), - status.HTTP_504_GATEWAY_TIMEOUT) - except requests.exceptions.RequestException as e: - return (dict(error=_('Unknown exception {} while trying to GET {}').format(e, url)), - status.HTTP_502_BAD_GATEWAY) + return headers - if res.status_code == 401: - msg = _('Unauthorized access. Please check your Insights Credential username and password.') - return (dict(error=msg), status.HTTP_502_BAD_GATEWAY) - elif res.status_code != 200: - msg = _( - 'Failed to access the Insights API at URL {}.' - ' Server responded with {} status code and message {}' - ).format(url, res.status_code, res.content) - return (dict(error=msg), status.HTTP_502_BAD_GATEWAY) + def _get_platform_id(self, host, session, headers): + url = '{}/api/inventory/v1/hosts?insights_id={}'.format( + settings.INSIGHTS_URL_BASE, host.insights_system_id) + res = self._call_insights_api(url, session, headers) + platform_id = res['results'][0]['id'] - try: - res.json() - except ValueError: - return (dict(error=_('Expected JSON response from Insights but instead got {}').format(res.content)), - status.HTTP_502_BAD_GATEWAY) + return platform_id - return res + def _get_reports(self, platform_id, session, headers): + url = '{}/api/insights/v1/system/{}/reports/'.format( + settings.INSIGHTS_URL_BASE, platform_id) - def get_insights(self, url, username, password): - res = self._call_insights_api(url, username, password) - if isinstance(res, tuple): # This value was constructed based on a bad response from the API. - return res + return self._call_insights_api(url, session, headers) - filtered_insights_content = filter_insights_api_response(res.json()) - return (dict(insights_content=filtered_insights_content), status.HTTP_200_OK) + def _get_remediations(self, platform_id, session, headers): + url = '{}/api/remediations/v1/?system={}'.format( + settings.INSIGHTS_URL_BASE, platform_id) + + remediations = [] + + # Iterate over all of the pages of content. + while url: + data = self._call_insights_api(url, session, headers) + remediations.extend(data['data']) + + url = data['links']['next'] # Will be `None` if this is the last page. + + return remediations + + def _get_insights(self, platform_id, session, headers): + reports = self._get_reports(platform_id, session, headers) + remediations = self._get_remediations(platform_id, session, headers) + + return {'insights_content': filter_insights_api_response(reports, remediations)} def get(self, request, *args, **kwargs): host = self.get_object() @@ -1692,19 +1729,14 @@ class HostInsights(GenericAPIView): status=status.HTTP_404_NOT_FOUND ) - (username, password) = self._extract_insights_creds(cred) + username = cred.get_input('username', default='') + password = cred.get_input('password', default='') + session = self._get_session(username, password) + headers = self._get_headers() + platform_id = self._get_platform_id(host, session, headers) - host_url = '{}/api/inventory/v1/hosts?insights_id={}'.format( - settings.INSIGHTS_URL_BASE, host.insights_system_id) - res = self._call_insights_api(host_url, username, password) - if isinstance(res, tuple): # This value was constructed based on a bad response from the API. - return Response(res[0], status=res[1]) - platform_id = res.json()['results'][0]['id'] - - reports_url = '{}/api/insights/v1/system/{}/reports/'.format( - settings.INSIGHTS_URL_BASE, platform_id) - (msg, err_code) = self.get_insights(reports_url, username, password) - return Response(msg, status=err_code) + data = self._get_insights(platform_id, session, headers) + return Response(data, status=status.HTTP_200_OK) class GroupList(ListCreateAPIView): diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py index f27f4f1a15..2734a18a5c 100644 --- a/awx/main/tests/unit/api/test_views.py +++ b/awx/main/tests/unit/api/test_views.py @@ -122,103 +122,6 @@ class TestInventoryInventorySourcesUpdate: assert response.data == expected -class TestHostInsights(): - - @pytest.fixture - def patch_parent(self, mocker): - mocker.patch('awx.api.generics.GenericAPIView') - - @pytest.mark.parametrize("status_code, exception, error, message", [ - (502, requests.exceptions.SSLError, 'SSLError while trying to connect to https://myexample.com/whocares/me/', None,), - (504, requests.exceptions.Timeout, 'Request to https://myexample.com/whocares/me/ timed out.', None,), - (502, requests.exceptions.RequestException, 'booo!', 'Unknown exception booo! while trying to GET https://myexample.com/whocares/me/'), - ]) - def test_get_insights_request_exception(self, patch_parent, mocker, status_code, exception, error, message): - view = HostInsights() - mocker.patch.object(view, '_get_insights', side_effect=exception(error)) - - (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore') - assert code == status_code - assert msg['error'] == message or error - - def test_get_insights_non_200(self, patch_parent, mocker): - view = HostInsights() - Response = namedtuple('Response', 'status_code content') - mocker.patch.object(view, '_get_insights', return_value=Response(500, 'mock 500 err msg')) - - (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore') - assert msg['error'] == ( - 'Failed to access the Insights API at URL' - ' https://myexample.com/whocares/me/. Server responded with 500 status code ' - 'and message mock 500 err msg') - - def test_get_insights_401(self, patch_parent, mocker): - view = HostInsights() - Response = namedtuple('Response', 'status_code content') - mocker.patch.object(view, '_get_insights', return_value=Response(401, '')) - - (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore') - assert msg['error'] == 'Unauthorized access. Please check your Insights Credential username and password.' - - def test_get_insights_malformed_json_content(self, patch_parent, mocker): - view = HostInsights() - - class Response(): - status_code = 200 - content = 'booo!' - - def json(self): - raise ValueError('we do not care what this is') - - mocker.patch.object(view, '_get_insights', return_value=Response()) - - (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore') - assert msg['error'] == 'Expected JSON response from Insights but instead got booo!' - assert code == 502 - - #def test_get_not_insights_host(self, patch_parent, mocker, mock_response_new): - #def test_get_not_insights_host(self, patch_parent, mocker): - def test_get_not_insights_host(self, mocker): - - view = HostInsights() - - host = Host() - host.insights_system_id = None - - mocker.patch.object(view, 'get_object', return_value=host) - - resp = view.get(None) - - assert resp.data['error'] == 'This host is not recognized as an Insights host.' - assert resp.status_code == 404 - - def test_get_no_credential(self, patch_parent, mocker): - view = HostInsights() - - class MockInventory(): - insights_credential = None - name = 'inventory_name_here' - - class MockHost(): - insights_system_id = 'insights_system_id_value' - inventory = MockInventory() - - mocker.patch.object(view, 'get_object', return_value=MockHost()) - - resp = view.get(None) - - assert resp.data['error'] == 'The Insights Credential for "inventory_name_here" was not found.' - assert resp.status_code == 404 - - def test_get_insights_user_agent(self, patch_parent, mocker): - with mock.patch.object(requests.Session, 'get') as get: - HostInsights()._get_insights('https://example.org', 'joe', 'example') - assert get.call_count == 1 - args, kwargs = get.call_args_list[0] - assert args == ('https://example.org',) - assert re.match(r'AWX [^\s]+ \(open\)', kwargs['headers']['User-Agent']) - - class TestSurveySpecValidation: def test_create_text_encrypted(self): diff --git a/awx/playbooks/action_plugins/insights.py b/awx/playbooks/action_plugins/insights.py index 3a465f3c5d..838265cbdf 100644 --- a/awx/playbooks/action_plugins/insights.py +++ b/awx/playbooks/action_plugins/insights.py @@ -81,7 +81,7 @@ class ActionModule(ActionBase): url = res.json()['links']['next'] # will be None if we're on the last page - for item in res.json()['remediations']: + for item in res.json()['data']: playbook_url = '{}/api/remediations/v1/remediations/{}/playbook'.format( insights_url, item['id']) res = session.get(playbook_url, timeout=120) From 7c743904b08e62ab58630c3a37912f57e08d3d5d Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Tue, 9 Apr 2019 11:36:58 -0400 Subject: [PATCH 11/34] Removed some no longer needed imports --- awx/main/tests/unit/api/test_views.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py index 2734a18a5c..53ab2ececb 100644 --- a/awx/main/tests/unit/api/test_views.py +++ b/awx/main/tests/unit/api/test_views.py @@ -1,7 +1,5 @@ # -*- coding: utf-8 -*- -import re import pytest -import requests from copy import deepcopy from unittest import mock @@ -11,13 +9,9 @@ from awx.api.views import ( ApiVersionRootView, JobTemplateLabelList, InventoryInventorySourcesUpdate, - HostInsights, JobTemplateSurveySpec ) -from awx.main.models import ( - Host, -) from awx.main.views import handle_error from rest_framework.test import APIRequestFactory From e25adca2333464dbf93128dc6df5e58d07597cb7 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Tue, 9 Apr 2019 15:00:06 -0400 Subject: [PATCH 12/34] Replace the old unit tests with new functional tests --- awx/api/views/__init__.py | 6 + .../functional/api/test_host_insights.py | 109 ++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 awx/main/tests/functional/api/test_host_insights.py diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index f88995b53e..13826a1078 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1738,6 +1738,12 @@ class HostInsights(GenericAPIView): data = self._get_insights(platform_id, session, headers) return Response(data, status=status.HTTP_200_OK) + def handle_exception(self, exc): + # Continue supporting the slightly different way we have handled error responses on this view. + response = super().handle_exception(exc) + response.data['error'] = response.data.pop('detail') + return response + class GroupList(ListCreateAPIView): diff --git a/awx/main/tests/functional/api/test_host_insights.py b/awx/main/tests/functional/api/test_host_insights.py new file mode 100644 index 0000000000..3ab3ac61e5 --- /dev/null +++ b/awx/main/tests/functional/api/test_host_insights.py @@ -0,0 +1,109 @@ +from collections import namedtuple + +import pytest +import requests + +from awx.api.versioning import reverse + + +@pytest.mark.django_db +class TestHostInsights: + def test_insights_bad_host(self, get, hosts, user, mocker): + mocker.patch.object(requests.Session, 'get') + + host = hosts(host_count=1)[0] + + url = reverse('api:host_insights', kwargs={'pk': host.pk}) + response = get(url, user('admin', True)) + + assert response.data['error'] == 'This host is not recognized as an Insights host.' + assert response.status_code == 404 + + def test_insights_no_credential(self, get, hosts, user, mocker): + mocker.patch.object(requests.Session, 'get') + + host = hosts(host_count=1)[0] + host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000' + host.save() + + url = reverse('api:host_insights', kwargs={'pk': host.pk}) + response = get(url, user('admin', True)) + + assert response.data['error'] == 'The Insights Credential for "test-inv" was not found.' + assert response.status_code == 404 + + @pytest.mark.parametrize("status_code, exception, error, message", [ + (502, requests.exceptions.SSLError, 'SSLError while trying to connect to https://myexample.com/whocares/me/', None,), + (504, requests.exceptions.Timeout, 'Request to https://myexample.com/whocares/me/ timed out.', None,), + (502, requests.exceptions.RequestException, 'booo!', 'Unknown exception booo! while trying to GET https://myexample.com/whocares/me/'), + ]) + def test_insights_exception(self, get, hosts, insights_credential, user, mocker, status_code, exception, error, message): + mocker.patch.object(requests.Session, 'get', side_effect=exception(error)) + + host = hosts(host_count=1)[0] + host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000' + host.inventory.insights_credential = insights_credential + host.inventory.save() + host.save() + + url = reverse('api:host_insights', kwargs={'pk': host.pk}) + response = get(url, user('admin', True)) + + assert response.data['error'] == message or error + assert response.status_code == status_code + + def test_insights_unauthorized(self, get, hosts, insights_credential, user, mocker): + Response = namedtuple('Response', 'status_code content') + mocker.patch.object(requests.Session, 'get', return_value=Response(401, 'mock 401 err msg')) + + host = hosts(host_count=1)[0] + host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000' + host.inventory.insights_credential = insights_credential + host.inventory.save() + host.save() + + url = reverse('api:host_insights', kwargs={'pk': host.pk}) + response = get(url, user('admin', True)) + + assert response.data['error'] == ( + "Unauthorized access. Please check your Insights Credential username and password.") + assert response.status_code == 502 + + def test_insights_bad_status(self, get, hosts, insights_credential, user, mocker): + Response = namedtuple('Response', 'status_code content') + mocker.patch.object(requests.Session, 'get', return_value=Response(500, 'mock 500 err msg')) + + host = hosts(host_count=1)[0] + host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000' + host.inventory.insights_credential = insights_credential + host.inventory.save() + host.save() + + url = reverse('api:host_insights', kwargs={'pk': host.pk}) + response = get(url, user('admin', True)) + + assert response.data['error'].startswith("Failed to access the Insights API at URL") + assert "Server responded with 500 status code and message mock 500 err msg" in response.data['error'] + assert response.status_code == 502 + + def test_insights_bad_json(self, get, hosts, insights_credential, user, mocker): + class Response: + status_code = 200 + content = 'booo!' + + def json(self): + raise ValueError("we do not care what this is") + + mocker.patch.object(requests.Session, 'get', return_value=Response()) + + host = hosts(host_count=1)[0] + host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000' + host.inventory.insights_credential = insights_credential + host.inventory.save() + host.save() + + url = reverse('api:host_insights', kwargs={'pk': host.pk}) + response = get(url, user('admin', True)) + + assert response.data['error'] == "Expected JSON response from Insights but instead got booo!" + assert response.status_code == 502 From 355a83441a47414faa8546bc577d9f5178e69c83 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Thu, 11 Apr 2019 11:36:49 -0400 Subject: [PATCH 13/34] Guard against the case where Insights fails to find the system ID --- awx/api/views/__init__.py | 7 ++++-- .../functional/api/test_host_insights.py | 22 +++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 13826a1078..699bba17d9 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -31,7 +31,7 @@ from django.utils.translation import ugettext_lazy as _ # Django REST Framework -from rest_framework.exceptions import APIException, PermissionDenied, ParseError +from rest_framework.exceptions import APIException, PermissionDenied, ParseError, NotFound from rest_framework.parsers import FormParser from rest_framework.permissions import AllowAny, IsAuthenticated from rest_framework.renderers import JSONRenderer, StaticHTMLRenderer @@ -1680,7 +1680,10 @@ class HostInsights(GenericAPIView): url = '{}/api/inventory/v1/hosts?insights_id={}'.format( settings.INSIGHTS_URL_BASE, host.insights_system_id) res = self._call_insights_api(url, session, headers) - platform_id = res['results'][0]['id'] + try: + platform_id = res['results'][0]['id'] + except (IndexError, KeyError): + raise NotFound(_('This host is not recognized as an Insights host.')) return platform_id diff --git a/awx/main/tests/functional/api/test_host_insights.py b/awx/main/tests/functional/api/test_host_insights.py index 3ab3ac61e5..4daddf9dfa 100644 --- a/awx/main/tests/functional/api/test_host_insights.py +++ b/awx/main/tests/functional/api/test_host_insights.py @@ -19,6 +19,28 @@ class TestHostInsights: assert response.data['error'] == 'This host is not recognized as an Insights host.' assert response.status_code == 404 + def test_insights_host_missing_from_insights(self, get, hosts, insights_credential, user, mocker): + class Response: + status_code = 200 + content = "{'results': []}" + + def json(self): + return {'results': []} + + mocker.patch.object(requests.Session, 'get', return_value=Response()) + + host = hosts(host_count=1)[0] + host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000' + host.inventory.insights_credential = insights_credential + host.inventory.save() + host.save() + + url = reverse('api:host_insights', kwargs={'pk': host.pk}) + response = get(url, user('admin', True)) + + assert response.data['error'] == 'This host is not recognized as an Insights host.' + assert response.status_code == 404 + def test_insights_no_credential(self, get, hosts, user, mocker): mocker.patch.object(requests.Session, 'get') From 10cfac2f0e4a5ba9ed98f398e9202164f0bd6c77 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Thu, 11 Apr 2019 14:38:37 -0400 Subject: [PATCH 14/34] Update the error message when we can't discover the platform ID --- awx/api/views/__init__.py | 4 +++- awx/main/tests/functional/api/test_host_insights.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 699bba17d9..5b2114153f 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1683,7 +1683,9 @@ class HostInsights(GenericAPIView): try: platform_id = res['results'][0]['id'] except (IndexError, KeyError): - raise NotFound(_('This host is not recognized as an Insights host.')) + raise NotFound( + _('Could not translate Insights system ID {}' + ' into an Insights platform ID.').format(host.insights_system_id)) return platform_id diff --git a/awx/main/tests/functional/api/test_host_insights.py b/awx/main/tests/functional/api/test_host_insights.py index 4daddf9dfa..d22471406f 100644 --- a/awx/main/tests/functional/api/test_host_insights.py +++ b/awx/main/tests/functional/api/test_host_insights.py @@ -38,7 +38,9 @@ class TestHostInsights: url = reverse('api:host_insights', kwargs={'pk': host.pk}) response = get(url, user('admin', True)) - assert response.data['error'] == 'This host is not recognized as an Insights host.' + assert response.data['error'] == ( + 'Could not translate Insights system ID 123e4567-e89b-12d3-a456-426655440000' + ' into an Insights platform ID.') assert response.status_code == 404 def test_insights_no_credential(self, get, hosts, user, mocker): From 11b85250e8aaede2f7350dc01e144610dd87415b Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Thu, 11 Apr 2019 14:46:13 -0400 Subject: [PATCH 15/34] Update more urls --- awx/api/views/__init__.py | 3 ++- awx/main/tests/functional/api/test_host_insights.py | 4 +++- .../src/inventories-hosts/inventories/insights/plan-filter.js | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 5b2114153f..96362d7591 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1655,7 +1655,8 @@ class HostInsights(GenericAPIView): return res.json() except ValueError: raise BadGateway( - _('Expected JSON response from Insights but instead got {}').format(res.content)) + _('Expected JSON response from Insights at URL {}' + ' but instead got {}').format(url, res.content)) def _get_session(self, username, password): session = requests.Session() diff --git a/awx/main/tests/functional/api/test_host_insights.py b/awx/main/tests/functional/api/test_host_insights.py index d22471406f..348ca02952 100644 --- a/awx/main/tests/functional/api/test_host_insights.py +++ b/awx/main/tests/functional/api/test_host_insights.py @@ -129,5 +129,7 @@ class TestHostInsights: url = reverse('api:host_insights', kwargs={'pk': host.pk}) response = get(url, user('admin', True)) - assert response.data['error'] == "Expected JSON response from Insights but instead got booo!" + assert response.data['error'].startswith("Expected JSON response from Insights at URL") + assert 'insights_id=123e4567-e89b-12d3-a456-426655440000' in response.data['error'] + assert response.data['error'].endswith("but instead got booo!") assert response.status_code == 502 diff --git a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js index 5c404acaaf..27259feac0 100644 --- a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js +++ b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js @@ -7,7 +7,7 @@ export default function(){ return function(plan) { if(plan === null || plan === undefined){ - return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS"; + return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS"; } else { let name = (plan.name === null) ? "Unnamed Plan" : plan.name; return `${name} (${plan.id})`; From 80a855c57a4386390a279e895c2e0f8ed872e67c Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 15 Apr 2019 11:36:20 -0400 Subject: [PATCH 16/34] Do some basic slugification of the remediation playbook name --- awx/playbooks/action_plugins/insights.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/awx/playbooks/action_plugins/insights.py b/awx/playbooks/action_plugins/insights.py index 838265cbdf..d4831448be 100644 --- a/awx/playbooks/action_plugins/insights.py +++ b/awx/playbooks/action_plugins/insights.py @@ -2,6 +2,8 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type import os +import re + import requests from ansible.plugins.action import ActionBase @@ -10,8 +12,10 @@ from ansible.plugins.action import ActionBase class ActionModule(ActionBase): def save_playbook(self, proj_path, remediation, content): - fname = '{}-{}.yml'.format( - remediation.get('name', None) or 'insights-remediation', remediation['id']) + name = remediation.get('name', None) or 'insights-remediation' + name = re.sub(r'[^\w\s-]', '', name).strip().lower() + name = re.sub(r'[-\s]+', '-', name) + fname = '{}-{}.yml'.format(name, remediation['id']) file_path = os.path.join(proj_path, fname) with open(file_path, 'wb') as f: f.write(content) From 4c86c5065ca513842fc0d1dcb6c710a8b6a962e5 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 15 Apr 2019 13:33:52 -0400 Subject: [PATCH 17/34] Fix a typo in the per-system remediations api call --- awx/api/views/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 96362d7591..a9b47ab92c 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1697,7 +1697,7 @@ class HostInsights(GenericAPIView): return self._call_insights_api(url, session, headers) def _get_remediations(self, platform_id, session, headers): - url = '{}/api/remediations/v1/?system={}'.format( + url = '{}/api/remediations/v1/remediations?system={}'.format( settings.INSIGHTS_URL_BASE, platform_id) remediations = [] From 72da961550a1536f119ebe8e4a6ce3673d06a6fb Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 15 Apr 2019 15:18:19 -0400 Subject: [PATCH 18/34] Conform to the new output of the Insights system reports endpoint --- awx/api/views/__init__.py | 13 ++++++++----- awx/main/utils/insights.py | 39 +++++++++++++++++++------------------- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index a9b47ab92c..fbacad4112 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1677,7 +1677,7 @@ class HostInsights(GenericAPIView): return headers - def _get_platform_id(self, host, session, headers): + def _get_platform_info(self, host, session, headers): url = '{}/api/inventory/v1/hosts?insights_id={}'.format( settings.INSIGHTS_URL_BASE, host.insights_system_id) res = self._call_insights_api(url, session, headers) @@ -1688,7 +1688,7 @@ class HostInsights(GenericAPIView): _('Could not translate Insights system ID {}' ' into an Insights platform ID.').format(host.insights_system_id)) - return platform_id + return res['results'][0] def _get_reports(self, platform_id, session, headers): url = '{}/api/insights/v1/system/{}/reports/'.format( @@ -1711,11 +1711,15 @@ class HostInsights(GenericAPIView): return remediations - def _get_insights(self, platform_id, session, headers): + def _get_insights(self, session, headers): + platform_info = self._get_platform_info(host, session, headers) + platform_id = platform_info['id'] reports = self._get_reports(platform_id, session, headers) remediations = self._get_remediations(platform_id, session, headers) - return {'insights_content': filter_insights_api_response(reports, remediations)} + return { + 'insights_content': filter_insights_api_response(platform_info, reports, remediations) + } def get(self, request, *args, **kwargs): host = self.get_object() @@ -1739,7 +1743,6 @@ class HostInsights(GenericAPIView): password = cred.get_input('password', default='') session = self._get_session(username, password) headers = self._get_headers() - platform_id = self._get_platform_id(host, session, headers) data = self._get_insights(platform_id, session, headers) return Response(data, status=status.HTTP_200_OK) diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py index d4b4cf0d25..a21720794c 100644 --- a/awx/main/utils/insights.py +++ b/awx/main/utils/insights.py @@ -15,7 +15,7 @@ # by a different Insights endpoint -def filter_insights_api_response(reports, remediations): +def filter_insights_api_response(platform_info, reports, remediations): severity_mapping = { 1: 'INFO', 2: 'WARN', @@ -23,25 +23,24 @@ def filter_insights_api_response(reports, remediations): 4: 'CRITICAL' } - new_json = {} - if 'checked_on' in reports: - new_json['last_check_in'] = reports['checked_on'] - if 'active_reports' in reports: - new_json['reports'] = [] - for rep in reports['active_reports']: - new_report = { - 'rule': {}, - 'maintenance_actions': remediations - } - rule = rep.get('rule') or {} - for k in ['description', 'summary']: - if k in rule: - new_report['rule'][k] = rule[k] - if 'category' in rule: - new_report['rule']['category'] = rule['category']['name'] - if rule.get('total_risk') in severity_mapping: - new_report['rule']['severity'] = severity_mapping[rule['total_risk']] + new_json = { + 'last_check_in': platform_info.get('updated'), + 'reports': [], + } + for rep in reports: + new_report = { + 'rule': {}, + 'maintenance_actions': remediations + } + rule = rep.get('rule') or {} + for k in ['description', 'summary']: + if k in rule: + new_report['rule'][k] = rule[k] + if 'category' in rule: + new_report['rule']['category'] = rule['category']['name'] + if rule.get('total_risk') in severity_mapping: + new_report['rule']['severity'] = severity_mapping[rule['total_risk']] - new_json['reports'].append(new_report) + new_json['reports'].append(new_report) return new_json From e66f9241a9605c35384e4abab9bb522beee37c4a Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 15 Apr 2019 15:30:56 -0400 Subject: [PATCH 19/34] Remove the platform_id from the call to _get_insights since it is now acquired within _get_insights. --- awx/api/views/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index fbacad4112..ec49cfdb8c 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1744,7 +1744,7 @@ class HostInsights(GenericAPIView): session = self._get_session(username, password) headers = self._get_headers() - data = self._get_insights(platform_id, session, headers) + data = self._get_insights(session, headers) return Response(data, status=status.HTTP_200_OK) def handle_exception(self, exc): From 6dae4a1d6d96c677cfde7c52a9c4002cd3c8e1d5 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 15 Apr 2019 15:35:39 -0400 Subject: [PATCH 20/34] Add the host in as a parameter to the _get_insights call --- awx/api/views/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index ec49cfdb8c..b3e89fe921 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1711,7 +1711,7 @@ class HostInsights(GenericAPIView): return remediations - def _get_insights(self, session, headers): + def _get_insights(self, host, session, headers): platform_info = self._get_platform_info(host, session, headers) platform_id = platform_info['id'] reports = self._get_reports(platform_id, session, headers) @@ -1744,7 +1744,7 @@ class HostInsights(GenericAPIView): session = self._get_session(username, password) headers = self._get_headers() - data = self._get_insights(session, headers) + data = self._get_insights(host, session, headers) return Response(data, status=status.HTTP_200_OK) def handle_exception(self, exc): From e2861c6c39c5b3b0e9de0776f08a9b207ed8a79c Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 15 Apr 2019 15:59:40 -0400 Subject: [PATCH 21/34] Fix the tests to conform to the new Insights results --- awx/main/tests/data/insights.json | 853 ++++++++++----------- awx/main/tests/data/insights.py | 3 + awx/main/tests/data/insights_hosts.json | 12 + awx/main/tests/unit/utils/test_insights.py | 5 +- awx/main/utils/insights.py | 10 +- 5 files changed, 446 insertions(+), 437 deletions(-) create mode 100644 awx/main/tests/data/insights_hosts.json diff --git a/awx/main/tests/data/insights.json b/awx/main/tests/data/insights.json index 00214fa0cd..8a303ba85d 100644 --- a/awx/main/tests/data/insights.json +++ b/awx/main/tests/data/insights.json @@ -1,436 +1,429 @@ -{ - "id": 1679900, - "system_uuid": "$REDACTED$", - "account": "$REDACTED$", - "system_type": 105, - "checked_on": "2019-03-19T21:59:09.213151-04:00", - "active_reports": [ - { - "id": 16923675, - "rule": { - "id": 46, - "created_at": "2019-02-07T14:02:34.379375-05:00", - "updated_at": "2019-03-12T11:45:28.804999-04:00", - "ruleset": { - "created_at": "2018-12-20T20:33:00-05:00", - "updated_at": "2018-12-20T20:33:00-05:00", - "rule_source": "https://$REDACTED$/insights-open-source/insights-security", - "description": "Security" - }, - "rule_id": "CVE_2017_5715_cpu_virt|VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL", - "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)", - "active": true, - "category": { - "id": 2, - "name": "Security" - }, - "impact": { - "name": "Information Disclosure", - "impact": 3 - }, - "likelihood": 2, - "node_id": "3244101", - "tags": "security kernel CVE", - "reboot_required": true, - "publish_date": "2018-01-17T12:00:00-05:00", - "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5715).\n", - "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n", - "reason": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel and has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine is vulnerable, because it has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}\n\n\n{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine has a particular family of an AMD processor for which there exists an updated version of Dracut. Dracut is a low-level software for generating an initramfs/initrd image that, among other tasks, selects the appropriate processor microcode to use. It is possible, but not guaranteed, that after updating the affected Dracut packages, the appropriate microcode will be selected to enable the protections for Variant 2 of this issue.\n\n{{?}}\nAn unprivileged attacker could use the vulnerability to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n", - "more_info": "* For more information about the flaw, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution) and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "resolution_set": [ - { - "system_type": 105, - "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n", - "resolution_risk": { - "name": "Upgrade Kernel", - "risk": 3 - }, - "has_playbook": true - } - ], - "total_risk": 2 +[ + { + "id": 16923675, + "rule": { + "id": 46, + "created_at": "2019-02-07T14:02:34.379375-05:00", + "updated_at": "2019-03-12T11:45:28.804999-04:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" }, - "details": { - "type": "rule", - "cves_fail": [ - "CVE-2017-5715" - ], - "cves_pass": [], - "error_key": "VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL", - "kernel_pkg_name": "kernel", - "affected_amd_family": false + "rule_id": "CVE_2017_5715_cpu_virt|VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL", + "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)", + "active": true, + "category": { + "id": 2, + "name": "Security" }, - "resolution": { - "system_type": 105, - "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n", - "resolution_risk": { - "name": "Upgrade Kernel", - "risk": 3 - }, - "has_playbook": true - } + "impact": { + "name": "Information Disclosure", + "impact": 3 + }, + "likelihood": 2, + "node_id": "3244101", + "tags": "security kernel CVE", + "reboot_required": true, + "publish_date": "2018-01-17T12:00:00-05:00", + "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5715).\n", + "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n", + "reason": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel and has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine is vulnerable, because it has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}\n\n\n{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine has a particular family of an AMD processor for which there exists an updated version of Dracut. Dracut is a low-level software for generating an initramfs/initrd image that, among other tasks, selects the appropriate processor microcode to use. It is possible, but not guaranteed, that after updating the affected Dracut packages, the appropriate microcode will be selected to enable the protections for Variant 2 of this issue.\n\n{{?}}\nAn unprivileged attacker could use the vulnerability to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n", + "more_info": "* For more information about the flaw, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution) and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 105, + "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 + }, + "has_playbook": true + } + ], + "total_risk": 2 }, - { - "id": 16923676, - "rule": { - "id": 49, - "created_at": "2019-02-07T14:02:34.410515-05:00", - "updated_at": "2019-03-12T11:45:28.875932-04:00", - "ruleset": { - "created_at": "2018-12-20T20:33:00-05:00", - "updated_at": "2018-12-20T20:33:00-05:00", - "rule_source": "https://$REDACTED$/insights-open-source/insights-security", - "description": "Security" - }, - "rule_id": "CVE_2017_5753_4_cpu_kernel|KERNEL_CVE_2017_5753_4_CPU_ERROR_3", - "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)", - "active": true, - "category": { - "id": 2, - "name": "Security" - }, - "impact": { - "name": "Information Disclosure", - "impact": 3 - }, - "likelihood": 2, - "node_id": "3244101", - "tags": "security kernel CVE", - "reboot_required": true, - "publish_date": "2018-01-22T12:00:00-05:00", - "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5753 / CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5753) and [CVE-2017-5754 / Meltdown](https://access.redhat.com/security/cve/CVE-2017-5754).\n", - "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n\nMitigations for these vulnerabilities additionally require firmware/microcode updates from hardware vendors.\n", - "reason": "This system is vulnerable to the following variant(s):\n\n{{? pydata.problems.v1_vulnerable}}* Variant 1 (Spectre/CVE-2017-5753)\n{{?}}{{? pydata.problems.v2_vulnerable}}* Variant 2 (Spectre/CVE-2017-5715)\n{{?}}{{? pydata.problems.v3_vulnerable}}* Variant 3 (Meltdown/CVE-2017-5754)\n{{?}}\n\n{{ var factors_contributing_displayed = (!pydata.problems.kernel_supports_features || !pydata.problems.firmware_supports_features || pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled) ; }}{{? factors_contributing_displayed }}Factors contributing to these vulnerabilities are:\n\n{{? !pydata.problems.kernel_supports_features}}* This system's kernel needs updating.\n{{?}}{{? !pydata.problems.firmware_supports_features}}* This system needs a firmware update.\n{{?}}{{? pydata.problems.pti_cmdline_disabled}}* PTI has been disabled by the `nopti` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled}}* IBPB has been disabled by the `noibpb` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_spectre_v2_disabled}}* IBPB has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled}}* IBRS has been disabled by the `noibrs` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_spectre_v2_disabled}}* IBRS has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled}}* RFI flush has been disabled by the `no_rfi_flush` kernel argument.\n{{?}}{{?}}\n\n{{? ( pydata.sysfs_vuln_md && (pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1)) || ( pydata.sysfs_vuln_s2 && (/Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1)) }}{{? factors_contributing_displayed }}Additional details:{{??}}Factors contributing to these vulnerabilities are:{{?}}\n\n{{? pydata.sysfs_vuln_md }}{{? pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1 }}* The CPU is vulnerable to Variant 3 (Meltdown/CVE-2017-5754) and PTI is disabled.\n{{?}}{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* The kernel has been compiled with an old version of the `gcc` compiler that doesn't support retpolines, so the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 }}* The CPU has vulnerable microcode, so the kernel can't use IBPB to mitigate Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* The CPU is Intel Skylake with updated microcode or newer, but retpolines are enabled. This type of CPU requires that IBRS is enabled and retpolines are disabled. The system is vulnerable to Variant 2 (Spectre/CVE-2017-5715) as a result.\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* A kernel module is loaded that has been compiled with a compiler without retpoline support. As a result, the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{?}}{{?}}\n\n{{? !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}Some diagnostic information was unavailable to Insights.{{?}}\n{{? !pydata.debugfs_available }}* `debugfs` information was not available. {{? pydata.dmesg_available }}Feature settings were inferred from `dmesg` and known vendor defaults.{{??}}`dmesg` information is also unavailable, so it isn't possible to determine which mitigations are available.{{?}}\n{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln }}* `/sys/devices/system/cpu/vulnerabilities` was not available to Insights, even though the kernel provides it.\n{{?}}\n\n", - "more_info": "* For more information about the flaws, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution), [CVE-2017-5754](https://access.redhat.com/security/cve/CVE-2017-5754), [CVE-2017-5753](https://access.redhat.com/security/cve/CVE-2017-5753), and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751).\n* For information related to VMs, see [How do I enable Markdown/Spectre mitigations in my virtualised machines?](https://access.redhat.com/articles/3331571)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* More information about performance impact of the mitigations can be found in the [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751) knowledgebase article.\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "resolution_set": [ - { - "system_type": 105, - "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", - "resolution_risk": { - "name": "Upgrade Kernel", - "risk": 3 - }, - "has_playbook": true - } - ], - "total_risk": 2 - }, - "details": { - "mfr": "Intel", - "type": "rule", - "virtual": "kvm", - "problems": { - "v1_vulnerable": false, - "v2_vulnerable": true, - "v3_vulnerable": false, - "pti_cmdline_disabled": false, - "ibpb_cmdline_disabled": false, - "ibrs_cmdline_disabled": false, - "kernel_supports_features": true, - "firmware_supports_features": false, - "rfi_flush_cmdline_disabled": false, - "spectre_v2_disabling_cmdline": null, - "ibpb_cmdline_spectre_v2_disabled": false, - "ibrs_cmdline_spectre_v2_disabled": false - }, - "cves_fail": [ - "CVE-2017-5715" - ], - "cves_pass": [ - "CVE-2017-5753", - "CVE-2017-5754" - ], - "error_key": "KERNEL_CVE_2017_5753_4_CPU_ERROR_3", - "package_name": "kernel", - "dmesg_wrapped": false, - "release_major": "7", - "sysfs_vuln_md": "Mitigation: PTI", - "sysfs_vuln_s1": "Mitigation: Load fences, __user pointer sanitization", - "sysfs_vuln_s2": "Vulnerable: Retpoline without IBPB", - "running_kernel": "3.10.0-862.14.4.el7.x86_64", - "dmesg_available": true, - "debugfs_available": true, - "old_specs_on_client": false, - "retpo_kernel_but_no_sys_cpu_vuln": false - }, - "resolution": { - "system_type": 105, - "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", - "resolution_risk": { - "name": "Upgrade Kernel", - "risk": 3 - }, - "has_playbook": true - } + "details": { + "type": "rule", + "cves_fail": [ + "CVE-2017-5715" + ], + "cves_pass": [], + "error_key": "VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL", + "kernel_pkg_name": "kernel", + "affected_amd_family": false }, - { - "id": 16923673, - "rule": { - "id": 72, - "created_at": "2019-02-07T14:02:34.653624-05:00", - "updated_at": "2019-03-12T11:45:29.372525-04:00", - "ruleset": { - "created_at": "2018-12-20T20:33:00-05:00", - "updated_at": "2018-12-20T20:33:00-05:00", - "rule_source": "https://$REDACTED$/insights-open-source/insights-security", - "description": "Security" - }, - "rule_id": "CVE_2018_3639_cpu_kernel|CVE_2018_3639_CPU_BAD_MICROCODE", - "description": "Kernel vulnerable to side-channel attacks in modern microprocessors using Speculative Store Bypass when CPU microcode is outdated (CVE-2018-3639)", - "active": true, - "category": { - "id": 2, - "name": "Security" - }, - "impact": { - "name": "Local Privilege Escalation", - "impact": 2 - }, - "likelihood": 2, - "node_id": "3448801", - "tags": "security", - "reboot_required": true, - "publish_date": "2018-05-21T21:00:00-04:00", - "summary": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. It has been assigned [CVE-2018-3639](https://access.redhat.com/security/cve/CVE-2018-3639). Mitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible.\n", - "generic": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. The flaw is similar to CVE-2017-5753 (aka \"Spectre v1\"), except it leverages Speculative Store Bypass memory optimization in place of the Branch Misprediction used by Spectre v1.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible, e.g. to memory outside of a sandboxed environments like web browsers or JIT execution runtimes.\n\nMitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nRed Hat recommends that you update the kernel and update firmware.\n", - "reason": "The system is vulnerable because:\n\n* CPU microcode requires an update\n", - "more_info": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/ssbd).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "resolution_set": [ - { - "system_type": 105, - "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", - "resolution_risk": { - "name": "Hardware Vendor Firmware Update", - "risk": 3 - }, - "has_playbook": false - } - ], - "total_risk": 2 + "resolution": { + "system_type": 105, + "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 }, - "details": { - "rt": false, - "type": "rule", - "virtual": "kvm", - "cmd_avail": true, - "cves_fail": [ - "CVE-2018-3639" - ], - "cves_pass": [], - "error_key": "CVE_2018_3639_CPU_BAD_MICROCODE", - "running_kernel": "3.10.0-862.14.4.el7.x86_64", - "vuln_file_present": true - }, - "resolution": { - "system_type": 105, - "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", - "resolution_risk": { - "name": "Hardware Vendor Firmware Update", - "risk": 3 - }, - "has_playbook": false - } - }, - { - "id": 16923678, - "rule": { - "id": 193, - "created_at": "2019-02-07T14:02:35.803497-05:00", - "updated_at": "2019-02-07T14:02:35.803513-05:00", - "ruleset": { - "created_at": "2018-12-20T20:33:00-05:00", - "updated_at": "2018-12-20T20:33:00-05:00", - "rule_source": "https://$REDACTED$/insights-open-source/insights-security", - "description": "Security" - }, - "rule_id": "hardening_httpd_pci_dss|HARDENING_HTTPD_PCI_DSS", - "description": "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)", - "active": true, - "category": { - "id": 2, - "name": "Security" - }, - "impact": { - "name": "Hardening", - "impact": 1 - }, - "likelihood": 1, - "node_id": "", - "tags": "httpd hardening security", - "reboot_required": false, - "publish_date": "2018-10-20T00:00:00-04:00", - "summary": "PCI Data Security Standard [mandates disabling](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls) TLS versions older than 1.1 for safeguarding payment data.\n", - "generic": "These hosts are running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n\nRed Hat recommends that you change your httpd/Apache configuration files. Select a host to see the host-specific details that need to be updated within the httpd/Apache configuration.\n", - "reason": "This host is running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n", - "more_info": "* For more information about the new PCI DSS rules, see [the article](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls)\n* [How do I globally disable TLSv1.0 on my RHEL server?](https://access.redhat.com/solutions/2157131)\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "resolution_set": [ - { - "system_type": 19, - "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.ssl_protocols: ssl}}\n
  • `{{=ssl[0]}}` - `{{=ssl[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.nss_protocols: nss}}\n
  • `{{=nss[0]}}` - `{{=nss[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\nMake the changes permanent in the container image by using the **docker commit** command at the next container shutdown.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", - "resolution_risk": { - "name": "Update Service Configuration", - "risk": 3 - }, - "has_playbook": false - }, - { - "system_type": 105, - "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", - "resolution_risk": { - "name": "Update Service Configuration", - "risk": 3 - }, - "has_playbook": false - }, - { - "system_type": 29, - "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.ssl_protocols: ssl}}\n
  • `{{=ssl[0]}}` - `{{=ssl[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.nss_protocols: nss}}\n
  • `{{=nss[0]}}` - `{{=nss[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nMake the changes permanent in the image by using the **docker commit** command.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", - "resolution_risk": { - "name": "Update Service Configuration", - "risk": 3 - }, - "has_playbook": false - } - ], - "total_risk": 1 - }, - "details": { - "type": "rule", - "error_key": "HARDENING_HTTPD_PCI_DSS", - "nss_protocols": [ - [ - "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2", - "/etc/httpd/conf.d/nss.conf" - ] - ], - "scl_installed": false, - "ssl_protocols": null - }, - "resolution": { - "system_type": 105, - "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", - "resolution_risk": { - "name": "Update Service Configuration", - "risk": 3 - }, - "has_playbook": false - } - }, - { - "id": 16923677, - "rule": { - "id": 235, - "created_at": "2019-02-07T14:02:36.236195-05:00", - "updated_at": "2019-02-11T15:21:37.409742-05:00", - "ruleset": { - "created_at": "2018-05-21T22:00:51-04:00", - "updated_at": "2018-05-21T22:00:51-04:00", - "rule_source": "https://$REDACTED$/insights-open-source/insights-plugins", - "description": "Advisor" - }, - "rule_id": "httpd24_deprecated_order|DEPRECATED_ORDER_USED_INFO_V1", - "description": "Unexpected behavior when using deprecated access control directives in httpd 2.4", - "active": true, - "category": { - "id": 1, - "name": "Availability" - }, - "impact": { - "name": "Invalid Configuration", - "impact": 1 - }, - "likelihood": 3, - "node_id": "", - "tags": "sbr_webservers webservers httpd", - "reboot_required": false, - "publish_date": "2018-05-30T20:39:00-04:00", - "summary": "The httpd service does not work as expected when using old directives in httpd-2.4.\n", - "generic": "Access control is using deprecated directives (\"Order\", \"Allow\" and \"Deny\") provided by `mod_authz_compat` which has been replaced by `mod_authz_host` in **httpd 2.4**.\n", - "reason": "This host is running **{{=pydata.ver}}** and using the following old directives (`Order`, `Allow` or `Deny`) which have been deprecated:\n\n{{ for (var _sec in pydata.dep_conf) { }}\n* Section `<{{=_sec}}>`\n {{ for (var file in pydata.dep_conf[_sec]) { }} * Configuration file `{{=file}}`\n ```text {{ for (var dir in pydata.dep_conf[_sec][file]) { }}\n {{=pydata.dep_conf[_sec][file][dir]}} {{ } }}\n ```\n {{ } }}\n{{ } }}\n", - "more_info": "", - "resolution_set": [ - { - "system_type": 105, - "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n", - "resolution_risk": { - "name": "Update Service Configuration", - "risk": 3 - }, - "has_playbook": false - } - ], - "total_risk": 2 - }, - "details": { - "ver": "httpd-2.4.6-80.el7", - "type": "rule", - "dep_conf": { - "Location /KdcProxy": { - "/etc/httpd/conf.d/ipa-kdc-proxy.conf": [ - "Order Deny,Allow", - "Allow from all" - ] - }, - "Directory /usr/share/fonts": { - "/etc/httpd/conf.d/ipa.conf": [ - "Allow from all" - ] - }, - "Directory /usr/share/ipa/ui": { - "/etc/httpd/conf.d/ipa.conf": [ - "Allow from all" - ] - }, - "Directory /usr/share/ipa/html": { - "/etc/httpd/conf.d/ipa.conf": [ - "Allow from all" - ] - }, - "Directory /usr/share/ipa/wsgi": { - "/etc/httpd/conf.d/ipa.conf": [ - "Allow from all" - ] - }, - "Location /ipa/session/sync_token": { - "/etc/httpd/conf.d/ipa.conf": [ - "Order Deny,Allow", - "Allow from all" - ] - }, - "Directory /usr/share/ipa/migration": { - "/etc/httpd/conf.d/ipa.conf": [ - "Allow from all" - ] - }, - "Location /ipa/session/login_password": { - "/etc/httpd/conf.d/ipa.conf": [ - "Order Deny,Allow", - "Allow from all" - ] - }, - "Directory /var/lib/ipa/pki-ca/publish": { - "/etc/httpd/conf.d/ipa.conf": [ - "Allow from all" - ] - }, - "Location /ipa/session/change_password": { - "/etc/httpd/conf.d/ipa.conf": [ - "Order Deny,Allow", - "Allow from all" - ] - } - }, - "error_key": "DEPRECATED_ORDER_USED_INFO_V1" - }, - "resolution": { - "system_type": 105, - "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n", - "resolution_risk": { - "name": "Update Service Configuration", - "risk": 3 - }, - "has_playbook": false - } + "has_playbook": true } - ] -} + }, + { + "id": 16923676, + "rule": { + "id": 49, + "created_at": "2019-02-07T14:02:34.410515-05:00", + "updated_at": "2019-03-12T11:45:28.875932-04:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" + }, + "rule_id": "CVE_2017_5753_4_cpu_kernel|KERNEL_CVE_2017_5753_4_CPU_ERROR_3", + "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)", + "active": true, + "category": { + "id": 2, + "name": "Security" + }, + "impact": { + "name": "Information Disclosure", + "impact": 3 + }, + "likelihood": 2, + "node_id": "3244101", + "tags": "security kernel CVE", + "reboot_required": true, + "publish_date": "2018-01-22T12:00:00-05:00", + "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5753 / CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5753) and [CVE-2017-5754 / Meltdown](https://access.redhat.com/security/cve/CVE-2017-5754).\n", + "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n\nMitigations for these vulnerabilities additionally require firmware/microcode updates from hardware vendors.\n", + "reason": "This system is vulnerable to the following variant(s):\n\n{{? pydata.problems.v1_vulnerable}}* Variant 1 (Spectre/CVE-2017-5753)\n{{?}}{{? pydata.problems.v2_vulnerable}}* Variant 2 (Spectre/CVE-2017-5715)\n{{?}}{{? pydata.problems.v3_vulnerable}}* Variant 3 (Meltdown/CVE-2017-5754)\n{{?}}\n\n{{ var factors_contributing_displayed = (!pydata.problems.kernel_supports_features || !pydata.problems.firmware_supports_features || pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled) ; }}{{? factors_contributing_displayed }}Factors contributing to these vulnerabilities are:\n\n{{? !pydata.problems.kernel_supports_features}}* This system's kernel needs updating.\n{{?}}{{? !pydata.problems.firmware_supports_features}}* This system needs a firmware update.\n{{?}}{{? pydata.problems.pti_cmdline_disabled}}* PTI has been disabled by the `nopti` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled}}* IBPB has been disabled by the `noibpb` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_spectre_v2_disabled}}* IBPB has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled}}* IBRS has been disabled by the `noibrs` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_spectre_v2_disabled}}* IBRS has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled}}* RFI flush has been disabled by the `no_rfi_flush` kernel argument.\n{{?}}{{?}}\n\n{{? ( pydata.sysfs_vuln_md && (pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1)) || ( pydata.sysfs_vuln_s2 && (/Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1)) }}{{? factors_contributing_displayed }}Additional details:{{??}}Factors contributing to these vulnerabilities are:{{?}}\n\n{{? pydata.sysfs_vuln_md }}{{? pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1 }}* The CPU is vulnerable to Variant 3 (Meltdown/CVE-2017-5754) and PTI is disabled.\n{{?}}{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* The kernel has been compiled with an old version of the `gcc` compiler that doesn't support retpolines, so the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 }}* The CPU has vulnerable microcode, so the kernel can't use IBPB to mitigate Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* The CPU is Intel Skylake with updated microcode or newer, but retpolines are enabled. This type of CPU requires that IBRS is enabled and retpolines are disabled. The system is vulnerable to Variant 2 (Spectre/CVE-2017-5715) as a result.\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* A kernel module is loaded that has been compiled with a compiler without retpoline support. As a result, the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{?}}{{?}}\n\n{{? !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}Some diagnostic information was unavailable to Insights.{{?}}\n{{? !pydata.debugfs_available }}* `debugfs` information was not available. {{? pydata.dmesg_available }}Feature settings were inferred from `dmesg` and known vendor defaults.{{??}}`dmesg` information is also unavailable, so it isn't possible to determine which mitigations are available.{{?}}\n{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln }}* `/sys/devices/system/cpu/vulnerabilities` was not available to Insights, even though the kernel provides it.\n{{?}}\n\n", + "more_info": "* For more information about the flaws, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution), [CVE-2017-5754](https://access.redhat.com/security/cve/CVE-2017-5754), [CVE-2017-5753](https://access.redhat.com/security/cve/CVE-2017-5753), and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751).\n* For information related to VMs, see [How do I enable Markdown/Spectre mitigations in my virtualised machines?](https://access.redhat.com/articles/3331571)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* More information about performance impact of the mitigations can be found in the [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751) knowledgebase article.\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 105, + "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 + }, + "has_playbook": true + } + ], + "total_risk": 2 + }, + "details": { + "mfr": "Intel", + "type": "rule", + "virtual": "kvm", + "problems": { + "v1_vulnerable": false, + "v2_vulnerable": true, + "v3_vulnerable": false, + "pti_cmdline_disabled": false, + "ibpb_cmdline_disabled": false, + "ibrs_cmdline_disabled": false, + "kernel_supports_features": true, + "firmware_supports_features": false, + "rfi_flush_cmdline_disabled": false, + "spectre_v2_disabling_cmdline": null, + "ibpb_cmdline_spectre_v2_disabled": false, + "ibrs_cmdline_spectre_v2_disabled": false + }, + "cves_fail": [ + "CVE-2017-5715" + ], + "cves_pass": [ + "CVE-2017-5753", + "CVE-2017-5754" + ], + "error_key": "KERNEL_CVE_2017_5753_4_CPU_ERROR_3", + "package_name": "kernel", + "dmesg_wrapped": false, + "release_major": "7", + "sysfs_vuln_md": "Mitigation: PTI", + "sysfs_vuln_s1": "Mitigation: Load fences, __user pointer sanitization", + "sysfs_vuln_s2": "Vulnerable: Retpoline without IBPB", + "running_kernel": "3.10.0-862.14.4.el7.x86_64", + "dmesg_available": true, + "debugfs_available": true, + "old_specs_on_client": false, + "retpo_kernel_but_no_sys_cpu_vuln": false + }, + "resolution": { + "system_type": 105, + "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Upgrade Kernel", + "risk": 3 + }, + "has_playbook": true + } + }, + { + "id": 16923673, + "rule": { + "id": 72, + "created_at": "2019-02-07T14:02:34.653624-05:00", + "updated_at": "2019-03-12T11:45:29.372525-04:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" + }, + "rule_id": "CVE_2018_3639_cpu_kernel|CVE_2018_3639_CPU_BAD_MICROCODE", + "description": "Kernel vulnerable to side-channel attacks in modern microprocessors using Speculative Store Bypass when CPU microcode is outdated (CVE-2018-3639)", + "active": true, + "category": { + "id": 2, + "name": "Security" + }, + "impact": { + "name": "Local Privilege Escalation", + "impact": 2 + }, + "likelihood": 2, + "node_id": "3448801", + "tags": "security", + "reboot_required": true, + "publish_date": "2018-05-21T21:00:00-04:00", + "summary": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. It has been assigned [CVE-2018-3639](https://access.redhat.com/security/cve/CVE-2018-3639). Mitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible.\n", + "generic": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. The flaw is similar to CVE-2017-5753 (aka \"Spectre v1\"), except it leverages Speculative Store Bypass memory optimization in place of the Branch Misprediction used by Spectre v1.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible, e.g. to memory outside of a sandboxed environments like web browsers or JIT execution runtimes.\n\nMitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nRed Hat recommends that you update the kernel and update firmware.\n", + "reason": "The system is vulnerable because:\n\n* CPU microcode requires an update\n", + "more_info": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/ssbd).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 105, + "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Hardware Vendor Firmware Update", + "risk": 3 + }, + "has_playbook": false + } + ], + "total_risk": 2 + }, + "details": { + "rt": false, + "type": "rule", + "virtual": "kvm", + "cmd_avail": true, + "cves_fail": [ + "CVE-2018-3639" + ], + "cves_pass": [], + "error_key": "CVE_2018_3639_CPU_BAD_MICROCODE", + "running_kernel": "3.10.0-862.14.4.el7.x86_64", + "vuln_file_present": true + }, + "resolution": { + "system_type": 105, + "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n", + "resolution_risk": { + "name": "Hardware Vendor Firmware Update", + "risk": 3 + }, + "has_playbook": false + } + }, + { + "id": 16923678, + "rule": { + "id": 193, + "created_at": "2019-02-07T14:02:35.803497-05:00", + "updated_at": "2019-02-07T14:02:35.803513-05:00", + "ruleset": { + "created_at": "2018-12-20T20:33:00-05:00", + "updated_at": "2018-12-20T20:33:00-05:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-security", + "description": "Security" + }, + "rule_id": "hardening_httpd_pci_dss|HARDENING_HTTPD_PCI_DSS", + "description": "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)", + "active": true, + "category": { + "id": 2, + "name": "Security" + }, + "impact": { + "name": "Hardening", + "impact": 1 + }, + "likelihood": 1, + "node_id": "", + "tags": "httpd hardening security", + "reboot_required": false, + "publish_date": "2018-10-20T00:00:00-04:00", + "summary": "PCI Data Security Standard [mandates disabling](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls) TLS versions older than 1.1 for safeguarding payment data.\n", + "generic": "These hosts are running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n\nRed Hat recommends that you change your httpd/Apache configuration files. Select a host to see the host-specific details that need to be updated within the httpd/Apache configuration.\n", + "reason": "This host is running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n", + "more_info": "* For more information about the new PCI DSS rules, see [the article](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls)\n* [How do I globally disable TLSv1.0 on my RHEL server?](https://access.redhat.com/solutions/2157131)\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "resolution_set": [ + { + "system_type": 19, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.ssl_protocols: ssl}}\n
  • `{{=ssl[0]}}` - `{{=ssl[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.nss_protocols: nss}}\n
  • `{{=nss[0]}}` - `{{=nss[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\nMake the changes permanent in the container image by using the **docker commit** command at the next container shutdown.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + }, + { + "system_type": 105, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + }, + { + "system_type": 29, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.ssl_protocols: ssl}}\n
  • `{{=ssl[0]}}` - `{{=ssl[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n
    {{~pydata.nss_protocols: nss}}\n
  • `{{=nss[0]}}` - `{{=nss[1]}}`
    • \n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nMake the changes permanent in the image by using the **docker commit** command.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + ], + "total_risk": 1 + }, + "details": { + "type": "rule", + "error_key": "HARDENING_HTTPD_PCI_DSS", + "nss_protocols": [ + [ + "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2", + "/etc/httpd/conf.d/nss.conf" + ] + ], + "scl_installed": false, + "ssl_protocols": null + }, + "resolution": { + "system_type": 105, + "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + }, + { + "id": 16923677, + "rule": { + "id": 235, + "created_at": "2019-02-07T14:02:36.236195-05:00", + "updated_at": "2019-02-11T15:21:37.409742-05:00", + "ruleset": { + "created_at": "2018-05-21T22:00:51-04:00", + "updated_at": "2018-05-21T22:00:51-04:00", + "rule_source": "https://$REDACTED$/insights-open-source/insights-plugins", + "description": "Advisor" + }, + "rule_id": "httpd24_deprecated_order|DEPRECATED_ORDER_USED_INFO_V1", + "description": "Unexpected behavior when using deprecated access control directives in httpd 2.4", + "active": true, + "category": { + "id": 1, + "name": "Availability" + }, + "impact": { + "name": "Invalid Configuration", + "impact": 1 + }, + "likelihood": 3, + "node_id": "", + "tags": "sbr_webservers webservers httpd", + "reboot_required": false, + "publish_date": "2018-05-30T20:39:00-04:00", + "summary": "The httpd service does not work as expected when using old directives in httpd-2.4.\n", + "generic": "Access control is using deprecated directives (\"Order\", \"Allow\" and \"Deny\") provided by `mod_authz_compat` which has been replaced by `mod_authz_host` in **httpd 2.4**.\n", + "reason": "This host is running **{{=pydata.ver}}** and using the following old directives (`Order`, `Allow` or `Deny`) which have been deprecated:\n\n{{ for (var _sec in pydata.dep_conf) { }}\n* Section `<{{=_sec}}>`\n {{ for (var file in pydata.dep_conf[_sec]) { }} * Configuration file `{{=file}}`\n ```text {{ for (var dir in pydata.dep_conf[_sec][file]) { }}\n {{=pydata.dep_conf[_sec][file][dir]}} {{ } }}\n ```\n {{ } }}\n{{ } }}\n", + "more_info": "", + "resolution_set": [ + { + "system_type": 105, + "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + ], + "total_risk": 2 + }, + "details": { + "ver": "httpd-2.4.6-80.el7", + "type": "rule", + "dep_conf": { + "Location /KdcProxy": { + "/etc/httpd/conf.d/ipa-kdc-proxy.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + }, + "Directory /usr/share/fonts": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Directory /usr/share/ipa/ui": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Directory /usr/share/ipa/html": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Directory /usr/share/ipa/wsgi": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Location /ipa/session/sync_token": { + "/etc/httpd/conf.d/ipa.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + }, + "Directory /usr/share/ipa/migration": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Location /ipa/session/login_password": { + "/etc/httpd/conf.d/ipa.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + }, + "Directory /var/lib/ipa/pki-ca/publish": { + "/etc/httpd/conf.d/ipa.conf": [ + "Allow from all" + ] + }, + "Location /ipa/session/change_password": { + "/etc/httpd/conf.d/ipa.conf": [ + "Order Deny,Allow", + "Allow from all" + ] + } + }, + "error_key": "DEPRECATED_ORDER_USED_INFO_V1" + }, + "resolution": { + "system_type": 105, + "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n", + "resolution_risk": { + "name": "Update Service Configuration", + "risk": 3 + }, + "has_playbook": false + } + } +] diff --git a/awx/main/tests/data/insights.py b/awx/main/tests/data/insights.py index 6fdca9540a..8ddb0eba88 100644 --- a/awx/main/tests/data/insights.py +++ b/awx/main/tests/data/insights.py @@ -4,6 +4,9 @@ import os dir_path = os.path.dirname(os.path.realpath(__file__)) +with open(os.path.join(dir_path, 'insights_hosts.json')) as data_file: + TEST_INSIGHTS_HOSTS = json.load(data_file) + with open(os.path.join(dir_path, 'insights.json')) as data_file: TEST_INSIGHTS_PLANS = json.load(data_file) diff --git a/awx/main/tests/data/insights_hosts.json b/awx/main/tests/data/insights_hosts.json new file mode 100644 index 0000000000..2ed3f4f9f5 --- /dev/null +++ b/awx/main/tests/data/insights_hosts.json @@ -0,0 +1,12 @@ +{ + "total": 1, + "count": 1, + "page": 1, + "per_page": 50, + "results": [ + { + "insights_id": "11111111-1111-1111-1111-111111111111", + "updated": "2019-03-19T21:59:09.213151-04:00" + } + ] +} diff --git a/awx/main/tests/unit/utils/test_insights.py b/awx/main/tests/unit/utils/test_insights.py index 72de5018bc..1eee79ce78 100644 --- a/awx/main/tests/unit/utils/test_insights.py +++ b/awx/main/tests/unit/utils/test_insights.py @@ -3,11 +3,12 @@ from awx.main.utils.insights import filter_insights_api_response -from awx.main.tests.data.insights import TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS +from awx.main.tests.data.insights import TEST_INSIGHTS_HOSTS, TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS def test_filter_insights_api_response(): - actual = filter_insights_api_response(TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS) + actual = filter_insights_api_response( + TEST_INSIGHTS_HOSTS['results'][0], TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS) assert actual['last_check_in'] == '2019-03-19T21:59:09.213151-04:00' assert len(actual['reports']) == 5 diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py index a21720794c..fbb2ba43c2 100644 --- a/awx/main/utils/insights.py +++ b/awx/main/utils/insights.py @@ -4,11 +4,11 @@ # Old Insights API -> New API # -# last_check_in -> checked_on -# reports[] -> active_reports[] -# reports[].rule.{description,summary} -> active_reports[].rule.{description,summary} -# reports[].rule.category -> active_reports[].rule.category.name -# reports[].rule.severity (str) -> active_reports[].rule.total_risk (int) +# last_check_in is missing entirely, is now provided by a different endpoint +# reports[] -> [] +# reports[].rule.{description,summary} -> [].rule.{description,summary} +# reports[].rule.category -> [].rule.category.name +# reports[].rule.severity (str) -> [].rule.total_risk (int) # reports[].rule.{ansible,ansible_fix} appears to be unused # reports[].maintenance_actions[] missing entirely, is now provided From 49ba6c6b3d29a5437ca6617c29cf5eae91cd81a7 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 15 Apr 2019 16:12:08 -0400 Subject: [PATCH 22/34] Appease flake8 --- awx/api/views/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index b3e89fe921..c0554440a9 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1682,7 +1682,7 @@ class HostInsights(GenericAPIView): settings.INSIGHTS_URL_BASE, host.insights_system_id) res = self._call_insights_api(url, session, headers) try: - platform_id = res['results'][0]['id'] + res['results'][0]['id'] except (IndexError, KeyError): raise NotFound( _('Could not translate Insights system ID {}' From 6ff539e6ee2ac3264e6347c81774fc9f67a7981c Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Tue, 16 Apr 2019 10:14:44 -0400 Subject: [PATCH 23/34] Update the front-end Insights urls --- awx/main/tests/data/insights_hosts.json | 3 ++- awx/main/utils/insights.py | 1 + .../inventories/insights/insights.controller.js | 3 ++- .../src/inventories-hosts/inventories/insights/plan-filter.js | 4 ++-- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/awx/main/tests/data/insights_hosts.json b/awx/main/tests/data/insights_hosts.json index 2ed3f4f9f5..8228222854 100644 --- a/awx/main/tests/data/insights_hosts.json +++ b/awx/main/tests/data/insights_hosts.json @@ -5,7 +5,8 @@ "per_page": 50, "results": [ { - "insights_id": "11111111-1111-1111-1111-111111111111", + "id": "11111111-1111-1111-1111-111111111111", + "insights_id": "22222222-2222-2222-2222-222222222222", "updated": "2019-03-19T21:59:09.213151-04:00" } ] diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py index fbb2ba43c2..67bb1e5f25 100644 --- a/awx/main/utils/insights.py +++ b/awx/main/utils/insights.py @@ -24,6 +24,7 @@ def filter_insights_api_response(platform_info, reports, remediations): } new_json = { + 'platform_id': platform_info['id'], 'last_check_in': platform_info.get('updated'), 'reports': [], } diff --git a/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js b/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js index 5022fc519d..effacb7297 100644 --- a/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js +++ b/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js @@ -26,6 +26,7 @@ function (data, $scope, moment, $state, InventoryData, InsightsService, InventoryData.summary_fields.insights_credential && InventoryData.summary_fields.insights_credential.id) ? InventoryData.summary_fields.insights_credential.id : null; $scope.canRemediate = CanRemediate; + $scope.platformId = $scope.reports_dataset.platform_id; } function filter(str){ @@ -40,7 +41,7 @@ function (data, $scope, moment, $state, InventoryData, InsightsService, }; $scope.viewDataInInsights = function(){ - window.open(`https://access.redhat.com/insights/inventory?machine=${$scope.$parent.host.insights_system_id}`, '_blank'); + window.open(`https://cloud.redhat.com/insights/inventory/${$scope.platform_id}/insights`, '_blank'); }; $scope.remediateInventory = function(inv_id, insights_credential){ diff --git a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js index 27259feac0..df023b75aa 100644 --- a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js +++ b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js @@ -7,10 +7,10 @@ export default function(){ return function(plan) { if(plan === null || plan === undefined){ - return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS"; + return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS"; } else { let name = (plan.name === null) ? "Unnamed Plan" : plan.name; - return `${name} (${plan.id})`; + return `${name} (${plan.id})`; } }; } From 0b555e938a0502491f3cb5875f25ca8507cfeeb8 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Tue, 16 Apr 2019 11:32:01 -0400 Subject: [PATCH 24/34] Fix typo in the Insights inventory url --- .../inventories/insights/insights.controller.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js b/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js index effacb7297..582f7bc94b 100644 --- a/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js +++ b/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js @@ -41,7 +41,7 @@ function (data, $scope, moment, $state, InventoryData, InsightsService, }; $scope.viewDataInInsights = function(){ - window.open(`https://cloud.redhat.com/insights/inventory/${$scope.platform_id}/insights`, '_blank'); + window.open(`https://cloud.redhat.com/insights/inventory/${$scope.platformId}/insights`, '_blank'); }; $scope.remediateInventory = function(inv_id, insights_credential){ From 4ca4563a19b20b157cd781861eb796e38b06dffc Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Mon, 22 Apr 2019 14:34:39 -0400 Subject: [PATCH 25/34] Update Azure requirements for Ansible stable-2.8 branch. --- ...oints.txt => azure-mgmt-authorization.txt} | 10 +-- docs/licenses/azure-mgmt-cdn.txt | 21 +++++ docs/licenses/azure-mgmt-cosmosdb.txt | 21 +++++ docs/licenses/azure-mgmt-devtestlabs.txt | 21 +++++ docs/licenses/azure-mgmt-hdinsight.txt | 21 +++++ docs/licenses/azure-mgmt-loganalytics.txt | 21 +++++ docs/licenses/azure-mgmt-redis.txt | 21 +++++ docs/licenses/azure-mgmt-servicebus.txt | 21 +++++ docs/licenses/configparser.txt | 20 ----- docs/licenses/keyring.txt | 82 ------------------- docs/licenses/secretstorage.txt | 25 ------ requirements/requirements_ansible.in | 38 +++++---- requirements/requirements_ansible.txt | 45 +++++----- 13 files changed, 199 insertions(+), 168 deletions(-) rename docs/licenses/{entrypoints.txt => azure-mgmt-authorization.txt} (87%) create mode 100644 docs/licenses/azure-mgmt-cdn.txt create mode 100644 docs/licenses/azure-mgmt-cosmosdb.txt create mode 100644 docs/licenses/azure-mgmt-devtestlabs.txt create mode 100644 docs/licenses/azure-mgmt-hdinsight.txt create mode 100644 docs/licenses/azure-mgmt-loganalytics.txt create mode 100644 docs/licenses/azure-mgmt-redis.txt create mode 100644 docs/licenses/azure-mgmt-servicebus.txt delete mode 100644 docs/licenses/configparser.txt delete mode 100644 docs/licenses/keyring.txt delete mode 100644 docs/licenses/secretstorage.txt diff --git a/docs/licenses/entrypoints.txt b/docs/licenses/azure-mgmt-authorization.txt similarity index 87% rename from docs/licenses/entrypoints.txt rename to docs/licenses/azure-mgmt-authorization.txt index 11be2a7553..dc1cf39d13 100644 --- a/docs/licenses/entrypoints.txt +++ b/docs/licenses/azure-mgmt-authorization.txt @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2015 Thomas Kluyver and contributors +Copyright (c) 2016 Microsoft Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -9,13 +9,13 @@ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/azure-mgmt-cdn.txt b/docs/licenses/azure-mgmt-cdn.txt new file mode 100644 index 0000000000..dc1cf39d13 --- /dev/null +++ b/docs/licenses/azure-mgmt-cdn.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Microsoft + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/azure-mgmt-cosmosdb.txt b/docs/licenses/azure-mgmt-cosmosdb.txt new file mode 100644 index 0000000000..dc1cf39d13 --- /dev/null +++ b/docs/licenses/azure-mgmt-cosmosdb.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Microsoft + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/azure-mgmt-devtestlabs.txt b/docs/licenses/azure-mgmt-devtestlabs.txt new file mode 100644 index 0000000000..dc1cf39d13 --- /dev/null +++ b/docs/licenses/azure-mgmt-devtestlabs.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Microsoft + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/azure-mgmt-hdinsight.txt b/docs/licenses/azure-mgmt-hdinsight.txt new file mode 100644 index 0000000000..dc1cf39d13 --- /dev/null +++ b/docs/licenses/azure-mgmt-hdinsight.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Microsoft + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/azure-mgmt-loganalytics.txt b/docs/licenses/azure-mgmt-loganalytics.txt new file mode 100644 index 0000000000..dc1cf39d13 --- /dev/null +++ b/docs/licenses/azure-mgmt-loganalytics.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Microsoft + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/azure-mgmt-redis.txt b/docs/licenses/azure-mgmt-redis.txt new file mode 100644 index 0000000000..dc1cf39d13 --- /dev/null +++ b/docs/licenses/azure-mgmt-redis.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Microsoft + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/azure-mgmt-servicebus.txt b/docs/licenses/azure-mgmt-servicebus.txt new file mode 100644 index 0000000000..dc1cf39d13 --- /dev/null +++ b/docs/licenses/azure-mgmt-servicebus.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Microsoft + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/licenses/configparser.txt b/docs/licenses/configparser.txt deleted file mode 100644 index 019015b128..0000000000 --- a/docs/licenses/configparser.txt +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2016 Ɓukasz Langa and others - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/docs/licenses/keyring.txt b/docs/licenses/keyring.txt deleted file mode 100644 index d5fa14a505..0000000000 --- a/docs/licenses/keyring.txt +++ /dev/null @@ -1,82 +0,0 @@ -PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 - - 1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. - - 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. - - 3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. - - 4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. - - 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - - 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. - - 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. - - 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. - - -BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 - -BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 - - 1. This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the Individual or Organization ("Licensee") accessing and otherwise using this software in source or binary form and its associated documentation ("the Software"). - - 2. Subject to the terms and conditions of this BeOpen Python License Agreement, BeOpen hereby grants Licensee a non-exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use the Software alone or in any derivative version, provided, however, that the BeOpen Python License is retained in the Software, alone or in any derivative version prepared by Licensee. - - 3. BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. - - 4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - - 5. This License Agreement will automatically terminate upon a material breach of its terms and conditions. - - 6. This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between BeOpen and Licensee. This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee, or any third party. As an exception, the "BeOpen Python" logos available at http://www.pythonlabs.com/logos.html may be used according to the permissions granted on that web page. - - 7. By copying, installing or otherwise using the software, Licensee agrees to be bound by the terms and conditions of this License Agreement. - - -CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1) - -IMPORTANT: PLEASE READ THE FOLLOWING AGREEMENT CAREFULLY. - -BY CLICKING ON "ACCEPT" WHERE INDICATED BELOW, OR BY COPYING, INSTALLING OR OTHERWISE USING PYTHON 1.6, beta 1 SOFTWARE, YOU ARE DEEMED TO HAVE AGREED TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. - - 1. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 1.6, beta 1 software in source or binary form and its associated documentation, as released at the www.python.org Internet site on August 4, 2000 ("Python 1.6b1"). - - 2. Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a non-exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 1.6b1 alone or in any derivative version, provided, however, that CNRIs License Agreement is retained in Python 1.6b1, alone or in any derivative version prepared by Licensee. - - Alternately, in lieu of CNRIs License Agreement, Licensee may substitute the following text (omitting the quotes): "Python 1.6, beta 1, is made available subject to the terms and conditions in CNRIs License Agreement. This Agreement may be located on the Internet using the following unique, persistent identifier (known as a handle): 1895.22/1011. This Agreement may also be obtained from a proxy server on the Internet using the URL:http://hdl.handle.net/1895.22/1011". - - 3. In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6b1 or any part thereof, and wants to make the derivative work available to the public as provided herein, then Licensee hereby agrees to indicate in any such work the nature of the modifications made to Python 1.6b1. - - 4. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. - - 5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING PYTHON 1.6b1, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - - 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. - - 7. This License Agreement shall be governed by and interpreted in all respects by the law of the State of Virginia, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. - - 8. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6b1, Licensee agrees to be bound by the terms and conditions of this License Agreement. - -ACCEPT - - -CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 - -Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, The Netherlands. All rights reserved. - - Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. - - STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - and -MIT License - -Copyright (c) - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/docs/licenses/secretstorage.txt b/docs/licenses/secretstorage.txt deleted file mode 100644 index 2c19ef1248..0000000000 --- a/docs/licenses/secretstorage.txt +++ /dev/null @@ -1,25 +0,0 @@ -Copyright 2012-2016 Dmitry Shachnev -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -1. Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. -2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. -3. Neither the name of the University nor the names of its contributors may be - used to endorse or promote products derived from this software without - specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/requirements/requirements_ansible.in b/requirements/requirements_ansible.in index 3b44e9c941..43166c27b7 100644 --- a/requirements/requirements_ansible.in +++ b/requirements/requirements_ansible.in @@ -1,32 +1,40 @@ # Azure -# azure deps from https://github.com/ansible/ansible/blob/stable-2.7/packaging/requirements/requirements-azure.txt +# azure deps from https://github.com/ansible/ansible/blob/stable-2.8/packaging/requirements/requirements-azure.txt packaging azure-cli-core==2.0.35 azure-cli-nspkg==3.0.2 azure-common==1.1.11 -azure-mgmt-batch==4.1.0 -azure-mgmt-compute==2.1.0 -azure-mgmt-containerinstance==0.4.0 +azure-mgmt-authorization==0.51.1 +azure-mgmt-batch==5.0.1 +azure-mgmt-cdn==3.0.0 +azure-mgmt-compute==4.4.0 +azure-mgmt-containerinstance==1.4.0 azure-mgmt-containerregistry==2.0.0 -azure-mgmt-containerservice==3.0.1 -azure-mgmt-dns==1.2.0 -azure-mgmt-keyvault==0.40.0 +azure-mgmt-containerservice==4.4.0 +azure-mgmt-dns==2.1.0 +azure-mgmt-keyvault==1.1.0 azure-mgmt-marketplaceordering==0.1.0 azure-mgmt-monitor==0.5.2 -azure-mgmt-network==1.7.1 +azure-mgmt-network==2.3.0 azure-mgmt-nspkg==2.0.0 -azure-mgmt-rdbms==1.2.0 -azure-mgmt-resource==1.2.2 -azure-mgmt-sql==0.7.1 -azure-mgmt-storage==1.5.0 +azure-mgmt-redis==5.0.0 +azure-mgmt-resource==2.1.0 +azure-mgmt-rdbms==1.4.1 +azure-mgmt-servicebus==0.5.3 +azure-mgmt-sql==0.10.0 +azure-mgmt-storage==3.1.0 azure-mgmt-trafficmanager==0.50.0 -azure-mgmt-web==0.32.0 +azure-mgmt-web==0.41.0 azure-nspkg==2.0.0 azure-storage==0.35.1 -msrest==0.4.29 -msrestazure==0.4.31 +msrest==0.6.1 +msrestazure==0.5.0 azure-keyvault==1.0.0a1 azure-graphrbac==0.40.0 +azure-mgmt-cosmosdb==0.5.2 +azure-mgmt-hdinsight==0.1.0 +azure-mgmt-devtestlabs==3.0.0 +azure-mgmt-loganalytics==0.2.0 # AWS boto==2.47.0 # last which does not break ec2 scripts boto3==1.6.2 diff --git a/requirements/requirements_ansible.txt b/requirements/requirements_ansible.txt index f29d8dc153..0be2c2861f 100644 --- a/requirements/requirements_ansible.txt +++ b/requirements/requirements_ansible.txt @@ -4,8 +4,8 @@ # # pip-compile --output-file requirements/requirements_ansible.txt requirements/requirements_ansible.in # -adal==0.5.0 # via msrestazure -appdirs==1.4.3 # via openstacksdk, os-client-config +adal==1.2.1 # via msrestazure +appdirs==1.4.3 # via openstacksdk applicationinsights==0.11.1 # via azure-cli-core argcomplete==1.9.4 # via azure-cli-core, knack asn1crypto==0.24.0 # via cryptography @@ -14,23 +14,31 @@ azure-cli-nspkg==3.0.2 azure-common==1.1.11 azure-graphrbac==0.40.0 azure-keyvault==1.0.0a1 -azure-mgmt-batch==4.1.0 -azure-mgmt-compute==2.1.0 -azure-mgmt-containerinstance==0.4.0 +azure-mgmt-authorization==0.51.1 +azure-mgmt-batch==5.0.1 +azure-mgmt-cdn==3.0.0 +azure-mgmt-compute==4.4.0 +azure-mgmt-containerinstance==1.4.0 azure-mgmt-containerregistry==2.0.0 -azure-mgmt-containerservice==3.0.1 -azure-mgmt-dns==1.2.0 -azure-mgmt-keyvault==0.40.0 +azure-mgmt-containerservice==4.4.0 +azure-mgmt-cosmosdb==0.5.2 +azure-mgmt-devtestlabs==3.0.0 +azure-mgmt-dns==2.1.0 +azure-mgmt-hdinsight==0.1.0 +azure-mgmt-keyvault==1.1.0 +azure-mgmt-loganalytics==0.2.0 azure-mgmt-marketplaceordering==0.1.0 azure-mgmt-monitor==0.5.2 -azure-mgmt-network==1.7.1 +azure-mgmt-network==2.3.0 azure-mgmt-nspkg==2.0.0 -azure-mgmt-rdbms==1.2.0 -azure-mgmt-resource==1.2.2 -azure-mgmt-sql==0.7.1 -azure-mgmt-storage==1.5.0 +azure-mgmt-rdbms==1.4.1 +azure-mgmt-redis==5.0.0 +azure-mgmt-resource==2.1.0 +azure-mgmt-servicebus==0.5.3 +azure-mgmt-sql==0.10.0 +azure-mgmt-storage==3.1.0 azure-mgmt-trafficmanager==0.50.0 -azure-mgmt-web==0.32.0 +azure-mgmt-web==0.41.0 azure-nspkg==2.0.0 azure-storage==0.35.1 backports.ssl-match-hostname==3.5.0.1 @@ -43,13 +51,11 @@ certifi==2018.1.18 # via msrest, requests cffi==1.11.5 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests colorama==0.3.9 # via azure-cli-core, knack -configparser==3.5.0 # via entrypoints cryptography==2.6.1 # via adal, azure-keyvault, azure-storage, paramiko, pyopenssl, requests-kerberos, requests-ntlm, secretstorage decorator==4.2.1 # via openstacksdk deprecation==2.0 # via openstacksdk docutils==0.14 # via botocore dogpile.cache==0.6.5 # via openstacksdk -entrypoints==0.2.3 # via keyring enum34==1.1.6; python_version < '3' # via cryptography, knack, msrest, ovirt-engine-sdk-python futures==3.2.0; python_version < '3' # via openstacksdk, s3transfer google-auth==1.6.2 @@ -62,13 +68,12 @@ jinja2==2.10.1 jmespath==0.9.3 # via azure-cli-core, boto3, botocore, knack, openstacksdk jsonpatch==1.21 # via openstacksdk jsonpointer==2.0 # via jsonpatch -keyring==15.1.0 # via msrestazure keystoneauth1==3.11.2 # via openstacksdk, os-client-config knack==0.3.3 # via azure-cli-core lxml==4.1.1 # via ncclient, pyvmomi monotonic==1.4 # via humanfriendly -msrest==0.4.29 -msrestazure==0.4.31 +msrest==0.6.1 +msrestazure==0.5.0 munch==2.2.0 # via openstacksdk ncclient==0.6.3 netaddr==0.7.19 @@ -106,9 +111,7 @@ requests==2.20.0 requestsexceptions==1.4.0 # via openstacksdk, os-client-config rsa==4.0 # via google-auth s3transfer==0.1.13 # via boto3 -secretstorage==2.3.1 # via keyring selectors2==2.0.1 # via ncclient - six==1.11.0 # via azure-cli-core, bcrypt, cryptography, google-auth, isodate, keystoneauth1, knack, munch, ncclient, ntlm-auth, openstacksdk, ovirt-engine-sdk-python, packaging, pynacl, pyopenssl, python-dateutil, pyvmomi, pywinrm, stevedore stevedore==1.28.0 # via keystoneauth1 tabulate==0.7.7 # via azure-cli-core, knack From 311daf10b8dc9793844a5c6a3e9631cb4019659d Mon Sep 17 00:00:00 2001 From: Jake McDermott Date: Tue, 23 Apr 2019 10:39:37 -0400 Subject: [PATCH 26/34] handle insights credential lookups for projects Although most scm types correspond to an scm credential lookup, insights uses its own credential type. --- .../projects/add/projects-add.controller.js | 10 +++++++--- .../projects/edit/projects-edit.controller.js | 11 +++++++---- awx/ui/client/src/projects/main.js | 18 ++++++++++++++++++ 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/awx/ui/client/src/projects/add/projects-add.controller.js b/awx/ui/client/src/projects/add/projects-add.controller.js index a76c80d496..bd6b5985c5 100644 --- a/awx/ui/client/src/projects/add/projects-add.controller.js +++ b/awx/ui/client/src/projects/add/projects-add.controller.js @@ -7,10 +7,10 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', 'ProjectsForm', 'Rest', 'Alert', 'ProcessErrors', 'GetBasePath', 'GetProjectPath', 'GetChoices', 'Wait', '$state', 'CreateSelect2', 'i18n', - 'ConfigData', 'resolvedModels', 'scmCredentialType', + 'ConfigData', 'resolvedModels', 'scmCredentialType', 'insightsCredentialType', function($scope, $location, $stateParams, GenerateForm, ProjectsForm, Rest, Alert, ProcessErrors, GetBasePath, GetProjectPath, GetChoices, Wait, $state, - CreateSelect2, i18n, ConfigData, resolvedModels, scmCredentialType) { + CreateSelect2, i18n, ConfigData, resolvedModels, scmCredentialType, insightsCredentialType) { let form = ProjectsForm(), base = $location.path().replace(/^\//, '').split('/')[0], @@ -191,9 +191,13 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', $scope.lookupCredential = function(){ // Perform a lookup on the credential_type. Git, Mercurial, and Subversion // all use SCM as their credential type. + let lookupCredentialType = scmCredentialType; + if ($scope.scm_type.value === 'insights') { + lookupCredentialType = insightsCredentialType; + } $state.go('.credential', { credential_search: { - credential_type: scmCredentialType, + credential_type: lookupCredentialType, page_size: '5', page: '1' } diff --git a/awx/ui/client/src/projects/edit/projects-edit.controller.js b/awx/ui/client/src/projects/edit/projects-edit.controller.js index 6a14d7e40b..5dd515828c 100644 --- a/awx/ui/client/src/projects/edit/projects-edit.controller.js +++ b/awx/ui/client/src/projects/edit/projects-edit.controller.js @@ -8,12 +8,12 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest', 'Alert', 'ProcessErrors', 'GenerateForm', 'Prompt', 'isNotificationAdmin', 'GetBasePath', 'GetProjectPath', 'Authorization', 'GetChoices', 'Empty', 'Wait', 'ProjectUpdate', '$state', 'CreateSelect2', 'ToggleNotification', - 'i18n', 'OrgAdminLookup', 'ConfigData', 'scmCredentialType', + 'i18n', 'OrgAdminLookup', 'ConfigData', 'scmCredentialType', 'insightsCredentialType', function($scope, $rootScope, $stateParams, ProjectsForm, Rest, Alert, ProcessErrors, GenerateForm, Prompt, isNotificationAdmin, GetBasePath, GetProjectPath, Authorization, GetChoices, Empty, Wait, ProjectUpdate, $state, CreateSelect2, ToggleNotification, i18n, OrgAdminLookup, - ConfigData, scmCredentialType) { + ConfigData, scmCredentialType, insightsCredentialType) { let form = ProjectsForm(), defaultUrl = GetBasePath('projects') + $stateParams.project_id + '/', @@ -310,10 +310,13 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest', $scope.lookupCredential = function(){ // Perform a lookup on the credential_type. Git, Mercurial, and Subversion // all use SCM as their credential type. - + let lookupCredentialType = scmCredentialType; + if ($scope.scm_type.value === 'insights') { + lookupCredentialType = insightsCredentialType; + } $state.go('.credential', { credential_search: { - credential_type: scmCredentialType, + credential_type: lookupCredentialType, page_size: '5', page: '1' } diff --git a/awx/ui/client/src/projects/main.js b/awx/ui/client/src/projects/main.js index d788f1f064..2f45552b45 100644 --- a/awx/ui/client/src/projects/main.js +++ b/awx/ui/client/src/projects/main.js @@ -36,7 +36,23 @@ function ResolveScmCredentialType (GetBasePath, Rest, ProcessErrors) { }); } +function ResolveInsightsCredentialType (GetBasePath, Rest, ProcessErrors) { + Rest.setUrl(GetBasePath('credential_types') + '?name=Insights'); + + return Rest.get() + .then(({ data }) => { + return data.results[0].id; + }) + .catch(({ data, status }) => { + ProcessErrors(null, data, status, null, { + hdr: 'Error!', + msg: 'Failed to get credential type data: ' + status + }); + }); +} + ResolveScmCredentialType.$inject = ['GetBasePath', 'Rest', 'ProcessErrors']; +ResolveInsightsCredentialType.$inject = ['GetBasePath', 'Rest', 'ProcessErrors']; export default @@ -70,6 +86,7 @@ angular.module('Projects', []) const stateIndex = res.states.findIndex(s => s.name === projectsAddName); res.states[stateIndex].resolve.scmCredentialType = ResolveScmCredentialType; + res.states[stateIndex].resolve.insightsCredentialType = ResolveInsightsCredentialType; return res; }); @@ -113,6 +130,7 @@ angular.module('Projects', []) const stateIndex = res.states.findIndex(s => s.name === projectsEditName); res.states[stateIndex].resolve.scmCredentialType = ResolveScmCredentialType; + res.states[stateIndex].resolve.insightsCredentialType = ResolveInsightsCredentialType; return res; }); From 75065b6407fb92eb34dae35dfdd5163718fbb195 Mon Sep 17 00:00:00 2001 From: Daniel Sami Date: Tue, 23 Apr 2019 15:45:27 -0400 Subject: [PATCH 27/34] e2e stability backport for 3.5 --- awx/ui/test/e2e/commands/logout.js | 3 +- awx/ui/test/e2e/objects/applications.js | 2 +- awx/ui/test/e2e/tests/test-users-crud.js | 10 +++ awx/ui/test/e2e/tests/test-websockets.js | 6 +- .../e2e/tests/test-workflow-visualizer.js | 88 +++++++++---------- 5 files changed, 57 insertions(+), 52 deletions(-) diff --git a/awx/ui/test/e2e/commands/logout.js b/awx/ui/test/e2e/commands/logout.js index 2eba1f985d..b06e5b5048 100644 --- a/awx/ui/test/e2e/commands/logout.js +++ b/awx/ui/test/e2e/commands/logout.js @@ -5,7 +5,6 @@ exports.command = function logout () { const logoutButton = '.at-Layout-topNav i.fa-power-off'; this - .waitForElementVisible(logoutButton) - .click(logoutButton) + .findThenClick(logoutButton, 'css') .waitForElementPresent('#login-button'); }; diff --git a/awx/ui/test/e2e/objects/applications.js b/awx/ui/test/e2e/objects/applications.js index 6118d8e5e3..2a2a06b95a 100644 --- a/awx/ui/test/e2e/objects/applications.js +++ b/awx/ui/test/e2e/objects/applications.js @@ -62,7 +62,7 @@ module.exports = { this .waitForElementVisible('#alert-modal-msg') .expect.element('#alert-modal-msg').text.contain(application.name); - this.click('#alert_ok_btn'); + this.findThenClick('#alert_ok_btn', 'css'); this.waitForElementNotVisible('#alert-modal-msg'); }, delete (name) { diff --git a/awx/ui/test/e2e/tests/test-users-crud.js b/awx/ui/test/e2e/tests/test-users-crud.js index 26f2bf5a4e..030ed0f7a4 100644 --- a/awx/ui/test/e2e/tests/test-users-crud.js +++ b/awx/ui/test/e2e/tests/test-users-crud.js @@ -20,6 +20,7 @@ const store = { lastName: `last-admin-${testID}`, password: `admin-${testID}`, username: `admin-${testID}`, + usernameDefault: `user-${testID}`, type: 'administrator', }, auditor: { @@ -28,6 +29,7 @@ const store = { lastName: `last-auditor-${testID}`, password: `auditor-${testID}`, username: `auditor-${testID}`, + usernameDefault: `user-${testID}`, type: 'auditor', }, user: { @@ -36,12 +38,20 @@ const store = { lastName: `last-${testID}`, password: `${testID}`, username: `user-${testID}`, + usernameDefault: `user-${testID}`, type: 'normal', }, }; module.exports = { before: (client, done) => { + // generate a unique username on each attempt. + const uniqueUser = uuid().substr(0, 8); + Object.entries(store).forEach(([key]) => { + if ('username' in store[key]) { + store[key].username = `${store[key].usernameDefault}-${uniqueUser}`; + } + }); const resources = [ getOrganization(store.organization.name), getAuditor(store.auditor.username), diff --git a/awx/ui/test/e2e/tests/test-websockets.js b/awx/ui/test/e2e/tests/test-websockets.js index 48e3e654fb..4aa6877ece 100644 --- a/awx/ui/test/e2e/tests/test-websockets.js +++ b/awx/ui/test/e2e/tests/test-websockets.js @@ -1,6 +1,7 @@ /* Websocket tests. These tests verify that items like the sparkline (colored box rows which * display job status) and other status icons update correctly as the jobs progress. */ +import uuid from 'uuid'; import { getInventorySource, @@ -160,13 +161,14 @@ module.exports = { .to.be.present.before(AWX_E2E_TIMEOUT_ASYNC); }, 'Test pending deletion of inventories': client => { - getInventorySource('test-pending-delete'); + const uniqueID = uuid().substr(0, 8); + getInventorySource(`test-pending-delete-${uniqueID}`); client .useCss() .navigateTo(`${AWX_E2E_URL}/#/inventories`, false) .waitForElementVisible('.SmartSearch-input') .clearValue('.SmartSearch-input') - .setValue('.SmartSearch-input', ['test-pending-delete', client.Keys.ENTER]) + .setValue('.SmartSearch-input', [`test-pending-delete-${uniqueID}`, client.Keys.ENTER]) .pause(AWX_E2E_TIMEOUT_SHORT) // helps prevent flake .findThenClick('.fa-trash-o', 'css') .waitForElementVisible('#prompt_action_btn') diff --git a/awx/ui/test/e2e/tests/test-workflow-visualizer.js b/awx/ui/test/e2e/tests/test-workflow-visualizer.js index 1ca625e97a..112b1b8942 100644 --- a/awx/ui/test/e2e/tests/test-workflow-visualizer.js +++ b/awx/ui/test/e2e/tests/test-workflow-visualizer.js @@ -1,3 +1,5 @@ +import uuid from 'uuid'; + import { getInventorySource, getJobTemplate, @@ -7,15 +9,12 @@ import { import { AWX_E2E_URL, - AWX_E2E_TIMEOUT_LONG } from '../settings'; let data; const spinny = "//*[contains(@class, 'spinny')]"; -const workflowSelector = "//a[text()='test-actions-workflow-template']"; const workflowVisualizerBtn = "//button[contains(@id, 'workflow_job_template_workflow_visualizer_btn')]"; const workflowSearchBar = "//input[contains(@class, 'SmartSearch-input')]"; -const workflowText = 'name.iexact:"test-actions-workflow-template"'; const startNodeId = '1'; let initialJobNodeId; @@ -26,10 +25,6 @@ let leafNodeId; const nodeAdd = "//*[contains(@class, 'WorkflowChart-nodeAddIcon')]"; const nodeRemove = "//*[contains(@class, 'WorkflowChart-nodeRemoveIcon')]"; -// one of the jobs or projects or inventories -const testActionsJob = "//div[contains(@class, 'List-tableCell') and contains(text(), 'test-actions-job')]"; -const testActionsJobText = 'name.iexact:"test-actions-job-template"'; - // search bar for visualizer templates const jobSearchBar = "//*[contains(@id, 'workflow-jobs-list')]//input[contains(@class, 'SmartSearch-input')]"; @@ -49,51 +44,50 @@ const deleteConfirmation = "//button[@ng-click='confirmDeleteNode()']"; const xPathNodeById = (id) => `//*[@id='node-${id}']`; const xPathLinkById = (sourceId, targetId) => `//*[@id='link-${sourceId}-${targetId}']//*[contains(@class, 'WorkflowChart-linkPath')]`; +const xPathNodeByName = (name) => `//*[contains(@class, "WorkflowChart-nameText") and contains(text(), "${name}")]/..`; module.exports = { before: (client, done) => { + // Ensure deterministic state on retries + const testID = uuid().substr(0, 8); + const namespace = `test-actions-${testID}`; const resources = [ - getInventorySource('test-actions'), - getJobTemplate('test-actions'), - getProject('test-actions'), - getWorkflowTemplate('test-actions'), + getInventorySource(namespace), + getJobTemplate(namespace), + getProject(namespace), + getWorkflowTemplate(namespace), ]; Promise.all(resources) - .then(([source, template, project, workflow]) => { - data = { source, template, project, workflow }; + .then(([inventory, template, project, workflow]) => { + data = { inventory, template, project, workflow }; + client + .login() + .waitForAngular() + .resizeWindow(1200, 1000) + .navigateTo(`${AWX_E2E_URL}/#/templates`, false) + .useXpath() + .waitForElementVisible(workflowSearchBar) + .setValue(workflowSearchBar, [`name.iexact:"${data.workflow.name}"`]) + .click('//*[contains(@class, "SmartSearch-searchButton")]') + .waitForSpinny(true) + .click(`//a[text()="${namespace}-workflow-template"]`) + .waitForElementVisible(workflowVisualizerBtn) + .click(workflowVisualizerBtn) + .waitForSpinny(true); + client.waitForElementVisible(xPathNodeByName(`${namespace}-job`)); + // Grab the ids of the nodes + client.getAttribute(xPathNodeByName(`${namespace}-job`), 'id', (res) => { + initialJobNodeId = res.value.split('-')[1]; + }); + client.getAttribute(xPathNodeByName(`${namespace}-pro`), 'id', (res) => { + initialProjectNodeId = res.value.split('-')[1]; + }); + client.getAttribute(xPathNodeByName(`${namespace}-inv`), 'id', (res) => { + initialInventoryNodeId = res.value.split('-')[1]; + }); done(); }); - client - .login() - .waitForAngular() - .resizeWindow(1200, 1000) - .navigateTo(`${AWX_E2E_URL}/#/templates`, false) - .useXpath() - .waitForElementVisible(workflowSearchBar) - .setValue(workflowSearchBar, [workflowText]) - .click('//*[contains(@class, "SmartSearch-searchButton")]') - .waitForSpinny(true) - .click('//*[contains(@class, "SmartSearch-clearAll")]') - .waitForSpinny(true) - .setValue(workflowSearchBar, [workflowText]) - .click('//*[contains(@class, "SmartSearch-searchButton")]') - .waitForSpinny(true) - .click(workflowSelector) - .waitForSpinny(true) - .click(workflowVisualizerBtn); - client.waitForElementVisible('//*[contains(@class, "WorkflowChart-nameText") and contains(text(), "test-actions-job")]/..'); - - // Grab the ids of the nodes - client.getAttribute('//*[contains(@class, "WorkflowChart-nameText") and contains(text(), "test-actions-job")]/..', 'id', (res) => { - initialJobNodeId = res.value.split('-')[1]; - }); - client.getAttribute('//*[contains(@class, "WorkflowChart-nameText") and contains(text(), "test-actions-project")]/..', 'id', (res) => { - initialProjectNodeId = res.value.split('-')[1]; - }); - client.getAttribute('//*[contains(@class, "WorkflowChart-nameText") and contains(text(), "test-actions-inventory")]/..', 'id', (res) => { - initialInventoryNodeId = res.value.split('-')[1]; - }); }, 'verify that workflow visualizer new root node can only be set to always': client => { client @@ -143,9 +137,9 @@ module.exports = { client .waitForElementVisible(jobSearchBar) .clearValue(jobSearchBar) - .setValue(jobSearchBar, [testActionsJobText, client.Keys.ENTER]) + .setValue(jobSearchBar, [`name.iexact:"${data.template.name}"`, client.Keys.ENTER]) .pause(1000) - .findThenClick(testActionsJob) + .findThenClick(`//div[contains(@class, "List-tableCell") and contains(text(), "${data.template.name}")]`) .pause(1000) .waitForElementNotVisible(spinny) .findThenClick(edgeTypeDropdownBar) @@ -174,9 +168,9 @@ module.exports = { client .waitForElementVisible(jobSearchBar) .clearValue(jobSearchBar) - .setValue(jobSearchBar, [testActionsJobText, client.Keys.ENTER]) + .setValue(jobSearchBar, [`name.iexact:"${data.template.name}"`, client.Keys.ENTER]) .pause(1000) - .findThenClick(testActionsJob) + .findThenClick(`//div[contains(@class, "List-tableCell") and contains(text(), "${data.template.name}")]`) .pause(1000) .waitForElementNotVisible(spinny) .findThenClick(edgeTypeDropdownBar) From 2f7ec6ff13d9d8a74aa2ede8e043e54f6ba1678b Mon Sep 17 00:00:00 2001 From: John Hill Date: Tue, 23 Apr 2019 16:01:45 -0400 Subject: [PATCH 28/34] adding a markerfile for e2e runs --- awx/ui/test/e2e/e2e-pipeline.groovy | 1 + 1 file changed, 1 insertion(+) create mode 100644 awx/ui/test/e2e/e2e-pipeline.groovy diff --git a/awx/ui/test/e2e/e2e-pipeline.groovy b/awx/ui/test/e2e/e2e-pipeline.groovy new file mode 100644 index 0000000000..637434954f --- /dev/null +++ b/awx/ui/test/e2e/e2e-pipeline.groovy @@ -0,0 +1 @@ +e2e-pipeline() \ No newline at end of file From 64ae7a6e45e57762abb35bceafc0cdf6026eba52 Mon Sep 17 00:00:00 2001 From: Christian Adams Date: Tue, 23 Apr 2019 16:22:31 -0400 Subject: [PATCH 29/34] analytics table copies formatted as csv now --- awx/main/analytics/collectors.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/awx/main/analytics/collectors.py b/awx/main/analytics/collectors.py index 25b168cb46..eece8c0654 100644 --- a/awx/main/analytics/collectors.py +++ b/awx/main/analytics/collectors.py @@ -213,7 +213,7 @@ def copy_tables(since, full_path): main_jobevent.uuid, main_jobevent.parent_uuid, main_jobevent.event, - main_jobevent.event_data::json->'task_action', + main_jobevent.event_data::json->'task_action' AS task_action, main_jobevent.failed, main_jobevent.changed, main_jobevent.playbook, @@ -225,7 +225,7 @@ def copy_tables(since, full_path): main_jobevent.host_name FROM main_jobevent WHERE main_jobevent.created > {} - ORDER BY main_jobevent.id ASC) to stdout'''.format(since.strftime("'%Y-%m-%d %H:%M:%S'")) + ORDER BY main_jobevent.id ASC) TO STDOUT WITH CSV HEADER'''.format(since.strftime("'%Y-%m-%d %H:%M:%S'")) _copy_table(table='events', query=events_query, path=full_path) unified_job_query = '''COPY (SELECT main_unifiedjob.id, @@ -250,7 +250,7 @@ def copy_tables(since, full_path): WHERE main_unifiedjob.created > {} AND main_unifiedjob.polymorphic_ctype_id = django_content_type.id AND main_unifiedjob.launch_type != 'sync' - ORDER BY main_unifiedjob.id ASC) to stdout'''.format(since.strftime("'%Y-%m-%d %H:%M:%S'")) + ORDER BY main_unifiedjob.id ASC) TO STDOUT WITH CSV HEADER'''.format(since.strftime("'%Y-%m-%d %H:%M:%S'")) _copy_table(table='unified_jobs', query=unified_job_query, path=full_path) unified_job_template_query = '''COPY (SELECT main_unifiedjobtemplate.id, @@ -270,7 +270,7 @@ def copy_tables(since, full_path): main_unifiedjobtemplate.status FROM main_unifiedjobtemplate, django_content_type WHERE main_unifiedjobtemplate.polymorphic_ctype_id = django_content_type.id - ORDER BY main_unifiedjobtemplate.id ASC) to stdout'''.format(since.strftime("'%Y-%m-%d %H:%M:%S'")) + ORDER BY main_unifiedjobtemplate.id ASC) TO STDOUT WITH CSV HEADER'''.format(since.strftime("'%Y-%m-%d %H:%M:%S'")) _copy_table(table='unified_job_template', query=unified_job_template_query, path=full_path) return From 082a8191600243787f405aa136441df5e91ade6c Mon Sep 17 00:00:00 2001 From: John Hill Date: Wed, 24 Apr 2019 08:22:07 -0400 Subject: [PATCH 30/34] removing hyphen --- awx/ui/test/e2e/e2e-pipeline.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/ui/test/e2e/e2e-pipeline.groovy b/awx/ui/test/e2e/e2e-pipeline.groovy index 637434954f..efd27124e5 100644 --- a/awx/ui/test/e2e/e2e-pipeline.groovy +++ b/awx/ui/test/e2e/e2e-pipeline.groovy @@ -1 +1 @@ -e2e-pipeline() \ No newline at end of file +e2ePipeline() From 870ebb4b43eaeaa35814643fff585981190abeee Mon Sep 17 00:00:00 2001 From: Daniel Sami Date: Wed, 24 Apr 2019 09:28:06 -0400 Subject: [PATCH 31/34] fix to work with diff versions of node --- awx/ui/test/e2e/tests/test-users-crud.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/awx/ui/test/e2e/tests/test-users-crud.js b/awx/ui/test/e2e/tests/test-users-crud.js index 030ed0f7a4..de5ca615cc 100644 --- a/awx/ui/test/e2e/tests/test-users-crud.js +++ b/awx/ui/test/e2e/tests/test-users-crud.js @@ -20,7 +20,7 @@ const store = { lastName: `last-admin-${testID}`, password: `admin-${testID}`, username: `admin-${testID}`, - usernameDefault: `user-${testID}`, + usernameDefault: `admin-${testID}`, type: 'administrator', }, auditor: { @@ -29,7 +29,7 @@ const store = { lastName: `last-auditor-${testID}`, password: `auditor-${testID}`, username: `auditor-${testID}`, - usernameDefault: `user-${testID}`, + usernameDefault: `auditor-${testID}`, type: 'auditor', }, user: { @@ -47,7 +47,7 @@ module.exports = { before: (client, done) => { // generate a unique username on each attempt. const uniqueUser = uuid().substr(0, 8); - Object.entries(store).forEach(([key]) => { + Object.keys(store).forEach(key => { if ('username' in store[key]) { store[key].username = `${store[key].usernameDefault}-${uniqueUser}`; } From c9424f9af8e2df0908d43d4e9b55969931e60a1f Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Wed, 24 Apr 2019 11:59:31 -0400 Subject: [PATCH 32/34] fix a few issues with license counts in /api/v2/metrics/ - switched these to gauges so people can track them over time - fixed a typo that caused `free_instances` to always be zero --- awx/main/analytics/metrics.py | 7 ++++++- awx/main/tests/functional/analytics/test_metrics.py | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/awx/main/analytics/metrics.py b/awx/main/analytics/metrics.py index 482aea829c..4219197cf4 100644 --- a/awx/main/analytics/metrics.py +++ b/awx/main/analytics/metrics.py @@ -44,6 +44,9 @@ INSTANCE_INFO = Info('awx_instance', 'Info about each node in a Tower system', [ INSTANCE_LAUNCH_TYPE = Gauge('awx_instance_launch_type_total', 'Type of Job launched', ['node', 'launch_type',]) INSTANCE_STATUS = Gauge('awx_instance_status_total', 'Status of Job launched', ['node', 'status',]) +LICENSE_INSTANCE_TOTAL = Gauge('awx_license_instance_total', 'Total number of managed hosts provided by your license') +LICENSE_INSTANCE_FREE = Gauge('awx_license_instance_free', 'Number of remaining managed hosts provided by your license') + def metrics(): license_info = get_license(show_key=False) @@ -54,13 +57,15 @@ def metrics(): 'tower_version': get_awx_version(), 'ansible_version': get_ansible_version(), 'license_type': license_info.get('license_type', 'UNLICENSED'), - 'free_instances': str(license_info.get('free instances', 0)), 'license_expiry': str(license_info.get('time_remaining', 0)), 'pendo_tracking': settings.PENDO_TRACKING_STATE, 'external_logger_enabled': str(settings.LOG_AGGREGATOR_ENABLED), 'external_logger_type': getattr(settings, 'LOG_AGGREGATOR_TYPE', 'None') }) + LICENSE_INSTANCE_TOTAL.set(str(license_info.get('available_instances', 0))) + LICENSE_INSTANCE_FREE.set(str(license_info.get('free_instances', 0))) + current_counts = counts(None) ORG_COUNT.set(current_counts['organization']) diff --git a/awx/main/tests/functional/analytics/test_metrics.py b/awx/main/tests/functional/analytics/test_metrics.py index 8d3bb957e7..385c299aea 100644 --- a/awx/main/tests/functional/analytics/test_metrics.py +++ b/awx/main/tests/functional/analytics/test_metrics.py @@ -28,6 +28,8 @@ EXPECTED_VALUES = { 'awx_instance_cpu':0.0, 'awx_instance_memory':0.0, 'awx_instance_info':1.0, + 'awx_license_instance_total':0, + 'awx_license_instance_free':0, } From aa52e41c02fa1ccde91f0e2ea4d4f67b98cf9b3b Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 24 Apr 2019 14:12:52 -0400 Subject: [PATCH 33/34] Kill the rabbitmq sos collection from our plugin. It exists in upstream sosreport, and this can cause conflicts. --- tools/sosreport/tower.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/tools/sosreport/tower.py b/tools/sosreport/tower.py index 10d41d6efd..70cf132207 100644 --- a/tools/sosreport/tower.py +++ b/tools/sosreport/tower.py @@ -10,8 +10,6 @@ SOSREPORT_TOWER_COMMANDS = [ "awx-manage list_instances", # tower cluster configuration "awx-manage run_dispatcher --status", # tower dispatch worker status "supervisorctl status", # tower process status - "rabbitmqctl status", - "rabbitmqctl cluster_status", "/var/lib/awx/venv/awx/bin/pip freeze", # pip package list "/var/lib/awx/venv/awx/bin/pip freeze -l", # pip package list without globally-installed packages "/var/lib/awx/venv/ansible/bin/pip freeze", # pip package list @@ -30,7 +28,6 @@ SOSREPORT_TOWER_DIRS = [ "/etc/nginx/", "/var/log/tower", "/var/log/nginx", - "/var/log/rabbitmq", "/var/log/supervisor", "/var/log/syslog", "/var/log/udev", From 2808a852eb0d320e9a436e252049e62ca3038bde Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Thu, 25 Apr 2019 09:49:03 -0400 Subject: [PATCH 34/34] pin runner 1.3.4 --- requirements/requirements.in | 2 +- requirements/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/requirements.in b/requirements/requirements.in index 8ad8ac9639..0667c8dcc2 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -1,4 +1,4 @@ -ansible-runner==1.3.3 +ansible-runner==1.3.4 appdirs==1.4.2 asgi-amqp==1.1.3 asgiref==1.1.2 diff --git a/requirements/requirements.txt b/requirements/requirements.txt index a154d73134..6d9c19694a 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -6,7 +6,7 @@ # adal==1.2.1 # via msrestazure amqp==2.3.2 # via kombu -ansible-runner==1.3.3 +ansible-runner==1.3.4 appdirs==1.4.2 argparse==1.4.0 # via uwsgitop asgi-amqp==1.1.3