From 15a739687fc7c6d0a75568ed38e71f6ce1a40deb Mon Sep 17 00:00:00 2001 From: Jared Tabor Date: Tue, 23 May 2017 16:46:12 -0400 Subject: [PATCH 1/7] Insights Dashboard more insights changes for responsiveness severity and icons various insights changes to dashboard changing fake data --- awx/ui/client/assets/i_severity_critical.svg | 61 ++ awx/ui/client/assets/i_severity_high.svg | 61 ++ awx/ui/client/assets/i_severity_low.svg | 62 ++ awx/ui/client/assets/i_severity_med.svg | 62 ++ .../inventories/insights/insights.block.less | 79 +- .../insights/insights.controller.js | 74 +- .../insights/insights.partial.html | 87 +- .../inventories/insights/insights.route.js | 859 +++++++++++++++++- .../client/src/inventories/insights/main.js | 2 + .../src/inventories/insights/plan-filter.js | 15 + .../src/shared/branding/colors.default.less | 1 + .../list/templates-list.controller.js | 5 +- 12 files changed, 1332 insertions(+), 36 deletions(-) create mode 100644 awx/ui/client/assets/i_severity_critical.svg create mode 100644 awx/ui/client/assets/i_severity_high.svg create mode 100644 awx/ui/client/assets/i_severity_low.svg create mode 100644 awx/ui/client/assets/i_severity_med.svg create mode 100644 awx/ui/client/src/inventories/insights/plan-filter.js diff --git a/awx/ui/client/assets/i_severity_critical.svg b/awx/ui/client/assets/i_severity_critical.svg new file mode 100644 index 0000000000..996df323a1 --- /dev/null +++ b/awx/ui/client/assets/i_severity_critical.svg @@ -0,0 +1,61 @@ + + + +image/svg+xml diff --git a/awx/ui/client/assets/i_severity_high.svg b/awx/ui/client/assets/i_severity_high.svg new file mode 100644 index 0000000000..7bd2ba55c8 --- /dev/null +++ b/awx/ui/client/assets/i_severity_high.svg @@ -0,0 +1,61 @@ + + + +image/svg+xml diff --git a/awx/ui/client/assets/i_severity_low.svg b/awx/ui/client/assets/i_severity_low.svg new file mode 100644 index 0000000000..539664987d --- /dev/null +++ b/awx/ui/client/assets/i_severity_low.svg @@ -0,0 +1,62 @@ + + + +image/svg+xml diff --git a/awx/ui/client/assets/i_severity_med.svg b/awx/ui/client/assets/i_severity_med.svg new file mode 100644 index 0000000000..33e3c19c30 --- /dev/null +++ b/awx/ui/client/assets/i_severity_med.svg @@ -0,0 +1,62 @@ + + + +image/svg+xml diff --git a/awx/ui/client/src/inventories/insights/insights.block.less b/awx/ui/client/src/inventories/insights/insights.block.less index 38df774da8..a353bd76f4 100644 --- a/awx/ui/client/src/inventories/insights/insights.block.less +++ b/awx/ui/client/src/inventories/insights/insights.block.less @@ -1,5 +1,12 @@ @import "../../shared/branding/colors.default.less"; +.InsightsLastCheck{ + display: flex; + justify-content: flex-end; + padding-bottom: 20px; + align-items: baseline; +} + .InsightsNav{ width: 100%; display: flex; @@ -8,7 +15,6 @@ flex-wrap: wrap; font-size: 14px; font-weight: bold; - } .InsightsNav-rightSide{ @@ -16,7 +22,8 @@ display: flex; flex: 1 0 auto; flex-wrap: wrap; - padding: 10px 0px 10px 0px + max-width: 100%; + padding-left: 10px; } .InsightsNav-leftSide{ @@ -26,6 +33,45 @@ justify-content: flex-end; flex-wrap: wrap; max-width: 100%; + padding-right: 10px; +} + +.InsightsNav-badgeTitle{ + color: #707070; + font-size: 14px; + margin-right: 10px; + font-weight: normal; + text-transform: uppercase; + margin-left: 10px; +} + +.InsightsIcon{ + height: 30px; + width:30px; +} + +.InsightsIcon-warning{ + color:@default-warning; + padding-right: 7px; +} + +.InsightsNav-anchor{ + display:flex; + align-items: center; + cursor:pointer; + height: 40px; + padding-right:10px; +} + +.InsightsNav-anchor.is-currentFilter{ + padding-top: 5px; + border-bottom: 5px solid @menu-link-btm-hov; +} + +.InsightsNav-anchor:hover{ + background-color: @menu-link-bg-hov; + padding-top: 5px; + border-bottom: 5px solid @menu-link-btm-hov; } .InsightsNav-totalIssues{ @@ -42,7 +88,7 @@ } .InsightsNav-mediumIssues{ - background-color: @default-succ; + background-color: @insights-yellow; } .InsightsNav-lowIssues{ @@ -52,6 +98,29 @@ .InsightsNav-solvableBadge{ background-color: @b7grey; } -.InsightsNav-solvableBadge:last-of-type{ - margin-right: 20px; + +.InsightsRow{ + margin-top:10px; +} +.InsightsRow-title{ + display: flex; + align-items: center; +} + +.InsightsRow-description{ + font-size:14px; + font-weight: bold; + padding-left: 5px; +} + +.InsightsRow-category{ + margin-left: 10px; +} + +.InsightsRow-body{ + padding-left: 35px; +} + +.InsightsRow-plan{ + padding-left: 35px; } diff --git a/awx/ui/client/src/inventories/insights/insights.controller.js b/awx/ui/client/src/inventories/insights/insights.controller.js index e892b62387..0db15cf70c 100644 --- a/awx/ui/client/src/inventories/insights/insights.controller.js +++ b/awx/ui/client/src/inventories/insights/insights.controller.js @@ -4,13 +4,81 @@ * All Rights Reserved *************************************************/ -export default [ -function () { +export default [ 'data', '$scope', 'moment', '$state', +function (data, $scope, moment, $state) { function init() { - // $scope.insights + + $scope.reports = data.reports; + $scope.reports_dataset = data; + $scope.currentFilter = "total"; + $scope.solvable_count = _.filter($scope.reports_dataset.reports, (report) => {return report.maintenance_actions.length > 0;}).length; + $scope.not_solvable_count = _.filter($scope.reports_dataset.reports, (report) => {return report.maintenance_actions.length === 0; }).length; + $scope.critical_count = 0 || _.filter($scope.reports_dataset.reports, (report) => {return report.rule.severity === "CRITICAL"; }).length; + $scope.high_count = _.filter($scope.reports_dataset.reports, (report) => {return report.rule.severity === "ERROR"; }).length; + $scope.med_count = _.filter($scope.reports_dataset.reports, (report) => {return report.rule.severity === "WARN"; }).length; + $scope.low_count = _.filter($scope.reports_dataset.reports, (report) => {return report.rule.severity === "INFO"; }).length; + let a = moment(), b = moment($scope.reports_dataset.last_check_in); + $scope.last_check_in = a.diff(b, 'hours'); } init(); + $scope.filter = function(filter){ + $scope.currentFilter = filter; + if(filter === "total"){ + $scope.reports = $scope.reports_dataset.reports; + } + if(filter === "solvable"){ + $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ + if(report.maintenance_actions.length > 0){ + return report; + } + }); + } + if(filter === "not_solvable"){ + $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ + if(report.maintenance_actions.length === 0){ + return report; + } + }); + } + if(filter === "critical"){ + $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ + if(report.rule.severity === 'CRITICAL'){ + return report; + } + }); + } + if(filter === "high"){ + $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ + if(report.rule.severity === 'ERROR'){ + return report; + } + }); + } + if(filter === "medium"){ + $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ + if(report.rule.severity === 'WARN'){ + return report; + } + }); + } + if(filter === "low"){ + $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ + if(report.rule.severity === 'INFO'){ + return report; + } + }); + } + }; + $scope.viewDataInInsights = function(){ + window.open('https://access.redhat.com/insights/info/', '_blank'); + }; + $scope.remediateInventory = function(){ + $state.go('templates.addJobTemplate'); + }; + $scope.formCancel = function(){ + $state.go('inventories', null, {reload: true}); + }; }]; diff --git a/awx/ui/client/src/inventories/insights/insights.partial.html b/awx/ui/client/src/inventories/insights/insights.partial.html index 30268578bc..d1e9fa5414 100644 --- a/awx/ui/client/src/inventories/insights/insights.partial.html +++ b/awx/ui/client/src/inventories/insights/insights.partial.html @@ -1,20 +1,79 @@ +
+ + This machine has not checked in with Insights in {{last_check_in}} hours +
-
Total Issues
- 4 -
Critical
- 1 -
High
- 1 -
Medium
- 1 -
Low
- 1 +
+
Total Issues
+ {{reports_dataset.reports.length}} +
+ +
+
Critical
+ {{critical_count}} +
+
+
High
+ {{high_count}} +
+
+
Medium
+ {{med_count}} +
+
+
Low
+ {{low_count}} +
-
Solvable With Playbook
- 4 -
Not Solvable With Playbook
- 1 + +
+
Solvable With Playbook
+ {{solvable_count}} +
+
+
Not Solvable With Playbook
+ {{not_solvable_count}} +
+ +
+
+
+ + + + +
ISSUE: {{report.rule.description}}
+ {{report.rule.category}} +
+
{{report.rule.summary}}
+
+
+
+ +
+ + + +
diff --git a/awx/ui/client/src/inventories/insights/insights.route.js b/awx/ui/client/src/inventories/insights/insights.route.js index 1bba477d18..8bb744b116 100644 --- a/awx/ui/client/src/inventories/insights/insights.route.js +++ b/awx/ui/client/src/inventories/insights/insights.route.js @@ -13,15 +13,854 @@ export default { } }, resolve: { - Facts: ['$stateParams', 'GetBasePath', 'Rest', - function($stateParams, GetBasePath, Rest) { - let ansibleFactsUrl = GetBasePath('hosts') + $stateParams.host_id + '/ansible_facts'; - Rest.setUrl(ansibleFactsUrl); - return Rest.get() - .success(function(data) { - return data; - }); - } - ] + data: [ function(){ + var data = + { + "toString": "ansible1.tronik-insights440.atl.redhat.com", + "isCheckingIn": true, + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "display_name": null, + "remote_branch": null, + "remote_leaf": null, + "account_number": "540155", + "hostname": "ansible1.tronik-insights440.atl.redhat.com", + "parent_id": null, + "system_type_id": 105, + "last_check_in": "2017-05-25T14:01:19.000Z", + "stale_ack": false, + "type": "machine", + "product": "rhel", + "created_at": "2016-07-26T23:31:13.000Z", + "updated_at": "2017-05-25T14:01:19.000Z", + "unregistered_at": null, + "reports": [{ + "details": { + "vulnerable_setting": "hosts: files dns", + "affected_package": "glibc-2.17-55.el7", + "error_key": "GLIBC_CVE_2015_7547" + }, + "id": 709784455, + "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

A critical security flaw in the glibc library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.

\n", + "generic_html": "

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", + "more_info_html": "\n", + "severity": "ERROR", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", + "error_key": "GLIBC_CVE_2015_7547", + "plugin": "CVE_2015_7547_glibc", + "description": "Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)", + "summary": "A critical security flaw in the `glibc` library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.", + "generic": "The `glibc` library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the `libresolv` part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when `libresolv` is called from the nss_dns NSS service module. This flaw is known as [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).", + "reason": "

This host is vulnerable because it has vulnerable package glibc-2.17-55.el7 installed and DNS is enabled in /etc/nsswitch.conf:

\n
hosts:      files dns\n

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2168451", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:35.000Z", + "rec_impact": 4, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends updating glibc and restarting the affected system:

\n
# yum update glibc\n# reboot\n

Alternatively, you can restart all affected services, but because this vulnerability affects a large amount of applications on the system, the best solution is to restart the system.

\n" + }, + "maintenance_actions": [] + }, { + "details": { + "affected_kernel": "3.10.0-123.el7", + "error_key": "KERNEL_CVE-2016-0728" + }, + "id": 709784465, + "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as CVE-2016-0728.

\n", + "generic_html": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

Red Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", + "error_key": "KERNEL_CVE-2016-0728", + "plugin": "CVE_2016_0728_kernel", + "description": "Kernel key management subsystem vulnerable to local privilege escalation (CVE-2016-0728)", + "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).", + "generic": "A vulnerability in the Linux kernel rated **Important** was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n\nRed Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the [systemtap patch](https://bugzilla.redhat.com/attachment.cgi?id=1116284&action=edit) to update your running kernel.", + "reason": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

The host is vulnerable as it is running kernel-3.10.0-123.el7.

\n", + "type": null, + "more_info": "* For more information about the flaws and versions of the package that are vulnerable see [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2130791", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:37.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update kernel and reboot. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n
# yum update kernel\n# reboot\n-or-\n# debuginfo-install kernel     (or equivalent)\n# stap -vgt -Gfix_p=1 -Gtrace_p=0 cve20160728e.stp\n
" + }, + "maintenance_actions": [] + }, { + "details": { + "processes_listening_int": [], + "processes_listening_ext": [], + "error_key": "OPENSSL_CVE_2016_0800_SPECIAL_DROWN", + "processes_listening": [], + "processes_names": [], + "vulnerable_package": "openssl-libs-1.0.1e-34.el7" + }, + "id": 709784475, + "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_SPECIAL_DROWN", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned CVE-2016-0800 and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.

\n", + "generic_html": "

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_SPECIAL_DROWN", + "error_key": "OPENSSL_CVE_2016_0800_SPECIAL_DROWN", + "plugin": "CVE_2016_0800_openssl_drown", + "description": "OpenSSL vulnerable to very efficient session decryption (CVE-2016-0800/Special DROWN)", + "summary": "A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800) and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.", + "generic": "A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.\n\nA more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see [CVE-2015-0293](https://access.redhat.com/security/cve/CVE-2015-0293)).", + "reason": "

This host is vulnerable because it has vulnerable package openssl-libs-1.0.1e-34.el7 installed.

\n

This package does not have a patch for CVE-2015-0293 applied, which makes the system especially vulnerable. This is known as Special DROWN. An attacker can use this flaw to perform active man-in-the-middle (MITM) attacks and impersonate a TLS server to connecting TLS client in a matter of minutes.

\n

Fortunately, it does not seem to run any processes that use OpenSSL libraries.

\n

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2174451", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:32.000Z", + "rec_impact": 3, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update openssl and restart the affected system:

\n
# yum update openssl\n# reboot\n

Alternatively, you can restart all affected services (that is, the ones linked to the openssl library), especially those listening on public IP addresses.

\n" + }, + "maintenance_actions": [] + }, { + "details": { + "vulnerable_kernel": "3.10.0-123.el7", + "package_name": "kernel", + "error_key": "KERNEL_CVE_2016_5195" + }, + "id": 709784485, + "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.

\n", + "generic_html": "

A race condition was found in the way Linux kernel's memory subsystem handled breakage of the the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.

\n

A process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild.

\n

Red Hat recommends that you update the kernel package or apply mitigations.

\n", + "more_info_html": "\n", + "severity": "CRITICAL", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195", + "error_key": "KERNEL_CVE_2016_5195", + "plugin": "CVE_2016_5195_kernel", + "description": "Kernel vulnerable to privilege escalation via permission bypass (CVE-2016-5195)", + "summary": "A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.", + "generic": "A race condition was found in the way Linux kernel's memory subsystem handled breakage of the the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.\n\nA process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild. \n\nRed Hat recommends that you update the kernel package or apply mitigations.", + "reason": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally have read-only access to and thus increase their privileges on the system.

\n

This host is affected because it is running kernel 3.10.0-123.el7.

\n

There is currently no mitigation applied and your system is vulnerable.

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2016-5195](https://access.redhat.com/security/cve/CVE-2016-5195)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2706661", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:33.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n

or

\n

Alternatively, this issue can be addressed by applying mitigations until the machine is restarted with the updated kernel package.

\n

Please refer to the Resolve Tab in the vulnerability article for information about the mitigation and the latest information.

\n" + }, + "maintenance_actions": [{ + "done": false, + "id": 29885, + "maintenance_plan": { + "maintenance_id": 12195, + "name": null, + "description": null, + "start": null, + "end": null, + "created_by": "rhn-support-jnewton", + "silenced": false, + "hidden": true, + "suggestion": "proposed", + "remote_branch": null + } + }] + }, { + "details": { + "package": "bash-4.2.45-5.el7", + "error_key": "VULNERABLE_BASH_DETECTED" + }, + "id": 709784505, + "rule_id": "bash_injection|VULNERABLE_BASH_DETECTED", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

In September 2014, an exploitable bug known as Shellshock was discovered in commonly shipped versions of the bash shell.

\n", + "generic_html": "

Hosts running earlier versions of bash are affected by the code injection vulnerability known as Shellshock.

\n", + "more_info_html": "

For further information about this critical vulnerability, see:

\n\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": true, + "ansible_mitigation": false, + "rule_id": "bash_injection|VULNERABLE_BASH_DETECTED", + "error_key": "VULNERABLE_BASH_DETECTED", + "plugin": "bash_injection", + "description": "Bash locally vulnerable via environment variables (CVE-2014-6271, CVE-2014-7169/Shellshock)", + "summary": "In September 2014, an exploitable bug known as Shellshock was discovered in commonly shipped versions of the bash shell.", + "generic": "Hosts running earlier versions of `bash` are affected by the code injection vulnerability known as **Shellshock**.", + "reason": "

This host is running a version of bash that is affected by the code injection vulnerability known as Shellshock.

\n

The package affected is bash-4.2.45-5.el7.

\n", + "type": null, + "more_info": "For further information about this **critical** vulnerability, see:\n* [Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)](https://access.redhat.com/articles/1200223)\n* [CVE-2014-6271](https://access.redhat.com/security/cve/CVE-2014-6271)\n* [CVE-2014-7169](https://access.redhat.com/security/cve/CVE-2014-7169)", + "active": true, + "node_id": "1200223", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:36.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you upgrade bash immediately:

\n
# yum update bash\n
" + }, + "maintenance_actions": [] + }, { + "details": { + "detected_problem_log_perms": [{ + "log_perms_dirfilename": "/var/log/cron", + "log_perms_sensitive": true, + "log_perms_ls_line": "-rw-r--r--. 1 root root 15438 May 25 10:01 cron" + }], + "error_key": "HARDENING_LOGGING_3_LOG_PERMS" + }, + "id": 709784525, + "rule_id": "hardening_logging_log_perms|HARDENING_LOGGING_3_LOG_PERMS", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

Issues related to system logging and auditing were detected on your system. Important services are disabled or log file permissions are not secure.

\n", + "generic_html": "

Issues related to system logging and auditing were detected on your system.

\n

Red Hat recommends that the logging service rsyslog and the auditing service auditd are enabled and that log files in /var/log have secure permissions.

\n", + "more_info_html": "\n", + "severity": "INFO", + "ansible": false, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "hardening_logging_log_perms|HARDENING_LOGGING_3_LOG_PERMS", + "error_key": "HARDENING_LOGGING_3_LOG_PERMS", + "plugin": "hardening_logging_log_perms", + "description": "Decreased security in system logging permissions", + "summary": "Issues related to system logging and auditing were detected on your system. Important services are disabled or log file permissions are not secure.\n", + "generic": "Issues related to system logging and auditing were detected on your system.\n\nRed Hat recommends that the logging service `rsyslog` and the auditing service `auditd` are enabled and that log files in `/var/log` have secure permissions.\n", + "reason": "

Log files have permission issues.

\n

The following files or directories in /var/log have file permissions that differ from the default RHEL configuration and are possibly non-secure. Red Hat recommends that the file permissions be adjusted to more secure settings.

\n\n \n \n \n \n \n\n\n\n\n\n\n\n
File or directory nameDetected problemOutput from ls -l
/var/log/cronUsers other than root can read or write.-rw-r--r--. 1 root root 15438 May 25 10:01 cron
\n\n\n\n", + "type": null, + "more_info": "* [Why is `/var/log/cron` world readable in RHEL7?](https://access.redhat.com/solutions/1491573)\n* [Using the chkconfig Utility](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-services-chkconfig.html) to configure services on RHEL 6\n* [Managing System Services](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Managing_Services_with_systemd-Services.html) to configure services on RHEL 7\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "active": true, + "node_id": null, + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2017-05-16T04:08:34.000Z", + "rec_impact": 1, + "rec_likelihood": 1, + "resolution": "

Red Hat recommends that you perform the following adjustments:

\n

Fixing permission issues depends on whether there is a designated safe group on your system that has Read access to the log files. This situation might exist if you want to allow certain administrators to see the log files without becoming root. To prevent log tampering, no other user than root should have permissions to Write to the log files. (The btmp and wtmp files are owned by the utmp group but other users should still be unable to write to them.)

\n

Fix for a default RHEL configuration

\n

(No designated group for reading log files)

\n
chown root:root /var/log/cron\nchmod u=rw,g-x,o-rwx /var/log/cron\n

Fix for a configuration with a designated safe group for reading log files

\n

In the following lines, substitute the name of your designated safe group for the string safegroup:

\n
chown root:safegroup /var/log/cron\nchmod u=rw,g-x,o-rwx /var/log/cron\n
" + }, + "maintenance_actions": [] + }, { + "details": { + "filesystems": [{ + "usage": "99", + "mountpoint": "/" + }, { + "usage": "99", + "mountpoint": "/" + }], + "error_key": "FILESYSTEM_CAPACITY" + }, + "id": 709784535, + "rule_id": "filesystem_capacity|FILESYSTEM_CAPACITY", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.

\n", + "generic_html": "

File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.

\n", + "more_info_html": "

How to increase the filesystem size?\nHow do I find out what is using disk space?

\n", + "severity": "WARN", + "ansible": false, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "filesystem_capacity|FILESYSTEM_CAPACITY", + "error_key": "FILESYSTEM_CAPACITY", + "plugin": "filesystem_capacity", + "description": "Decreased stability and/or performance due to filesystem over 95% capacity", + "summary": "File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.\n", + "generic": "File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.\n", + "reason": "

This host has the following file systems nearing or at capacity:

\n", + "type": null, + "more_info": "[How to increase the filesystem size?](https://access.redhat.com/solutions/21820)\n[How do I find out what is using disk space?](https://access.redhat.com/solutions/1154683)\n", + "active": true, + "node_id": "1154683", + "category": "Stability", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:36.000Z", + "rec_impact": 2, + "rec_likelihood": 3, + "resolution": "

To solve the issue, Red Hat recommends that you either add more storage capacity to the identified file systems, or remove unnecessary files to reduce the current usage.\nPlease refer to more_information part for more detailed steps.

\n" + }, + "maintenance_actions": [] + }, { + "details": { + "msg": "[ 0.000000] crashkernel=auto resulted in zero bytes of reserved memory.", + "auto_with_low_ram": true, + "rhel_ver": 7, + "error_key": "CRASHKERNEL_RESERVATION_FAILED" + }, + "id": 709784555, + "rule_id": "crashkernel_reservation_failed|CRASHKERNEL_RESERVATION_FAILED", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

The crashkernel configuration has failed to produce a working kdump environment. Configuration changes must be made to enable vmcore capture.

\n", + "generic_html": "

Kdump is unable to reserve memory for the kdump kernel. The kdump service has not started and a vmcore will not be captured if the host crashes, which will make it difficult for our support technicians to determine why the machine crashed.

\n", + "more_info_html": "", + "severity": "WARN", + "ansible": false, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "crashkernel_reservation_failed|CRASHKERNEL_RESERVATION_FAILED", + "error_key": "CRASHKERNEL_RESERVATION_FAILED", + "plugin": "crashkernel_reservation_failed", + "description": "Kdump crashkernel reservation failed due to improper configuration of crashkernel parameter", + "summary": "The crashkernel configuration has failed to produce a working kdump environment. Configuration changes must be made to enable vmcore capture.\n", + "generic": "Kdump is unable to reserve memory for the kdump kernel. The kdump service has not started and a vmcore will not be captured if the host crashes, which will make it difficult for our support technicians to determine why the machine crashed.", + "reason": "

This host is unable to reserve memory for the kdump kernel:

\n
[    0.000000] crashkernel=auto resulted in zero bytes of reserved memory.\n

This means the kdump service has not started and a vmcore will not be captured if the host crashes, which will make it difficult for our support technicians to determine why the machine crashed.

\n", + "type": null, + "more_info": null, + "active": true, + "node_id": "59432", + "category": "Stability", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:33.000Z", + "rec_impact": 1, + "rec_likelihood": 3, + "resolution": "

To fix this issue, Red Hat recommends that you change the crashkernel setting in the grub.conf file.

\n

This host failed to reserved memory with auto crashkernel parameter due to low physical memory. The memory must be reserved by explicitly requesting the reservation size, for example: crashkernel=128M.

\n

For details of crashkernel setting, please refer to the Knowledge article How should the crashkernel parameter be configured for using kdump on RHEL7? to pickup the setting specifically for your host.

\n" + }, + "maintenance_actions": [] + }, { + "details": { + "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION" + }, + "id": 709784565, + "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", + "generic_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", + "more_info_html": "", + "severity": "INFO", + "ansible": false, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", + "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", + "plugin": "tzdata_need_upgrade", + "description": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale", + "summary": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", + "generic": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", + "reason": "

This system running as a non-NTP system is following the UTC timescale. In this situation, manual correction is required to avoid system clock inaccuracy when a leap second event happens.

\n", + "type": null, + "more_info": null, + "active": true, + "node_id": "1465713", + "category": "Stability", + "retired": false, + "reboot_required": false, + "publish_date": null, + "rec_impact": 2, + "rec_likelihood": 1, + "resolution": "

The system clock of this system needs manual correction when a leap second event happens. For example:

\n
\n\n# date -s \"20170101 HH:MM:SS\"\n\n
\n\n

You need to replace "HH:MM:SS" with the accurate time after the leap second occurs.

\n" + }, + "maintenance_actions": [] + }, { + "details": { + "selinux_info": true, + "package_name": "kernel", + "selinux_enforcing": true, + "selinux_can_help": true, + "minimal_selinux_policy": "selinux-policy-3.13.1-81.el7", + "selinux_enabled": true, + "vulnerable_kernel": "3.10.0-123.el7", + "active_policy": "selinux-policy-3.12.1-153.el7", + "dccp_loading_disabled": null, + "error_key": "KERNEL_CVE_2017_6074", + "enough_policy": false, + "dccp_loaded": null, + "mitigation_info": false + }, + "id": 709784575, + "rule_id": "CVE_2017_6074_kernel|KERNEL_CVE_2017_6074", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned CVE-2017-6074. An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system.

\n", + "generic_html": "

A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned CVE-2017-6074.

\n

An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. A local user could initiate a DCCP network connection on any local system network interface and then create specially-crafted memory allocations containing malicious instructions that can then either cause a crash or potentially escalate the user's privileges.

\n

An attacker must have access to a local account on the system; this is not a remote attack and it requires IPv6 support to be enabled on the system.

\n

Red Hat recommends that you update the kernel when possible. Otherwise, you can use proposed mitigation to disable DCCP. SELinux in enforcing mode can also mitigate the issue under specific circumstances.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2017_6074_kernel|KERNEL_CVE_2017_6074", + "error_key": "KERNEL_CVE_2017_6074", + "plugin": "CVE_2017_6074_kernel", + "description": "Kernel vulnerable to local privilege escalation via DCCP module (CVE-2017-6074)", + "summary": "A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned [CVE-2017-6074](https://access.redhat.com/security/cve/CVE-2017-6074). An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system.\n", + "generic": "A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned CVE-2017-6074. \n\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. A local user could initiate a DCCP network connection on any local system network interface and then create specially-crafted memory allocations containing malicious instructions that can then either cause a crash or potentially escalate the user's privileges.\n\nAn attacker must have access to a local account on the system; this is not a remote attack and it requires IPv6 support to be enabled on the system.\n\nRed Hat recommends that you update the kernel when possible. Otherwise, you can use proposed mitigation to disable DCCP. SELinux in enforcing mode can also mitigate the issue under specific circumstances.\n", + "reason": "

A use-after-free flaw was found within the Linux kernel IPv6 DCCP network protocol code.

\n

This host is affected because:

\n\n\n\n\n\n\n\n

Your installed SELinux policy is selinux-policy-3.12.1-153.el7; however, to mitigate the issue, the earliest required version is selinux-policy-3.13.1-81.el7.

\n", + "type": null, + "more_info": "* For more information about the flaw, see [CVE-2017-6074](https://access.redhat.com/security/cve/CVE-2017-6074).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* For more information about SELinux, see [Benefits of running SELinux](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "active": true, + "node_id": null, + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": null, + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends updating the kernel package and rebooting the system.

\n
# yum update kernel\n# reboot\n

Alternatively, apply one of the following mitigations:

\n
Update SELinux policy
\n

Update your SELinux policy:

\n
# yum update selinux-policy\n

The system does not provide enough information for Insights about loaded kernel modules. It is not possible to recommend a mitigation based on kernel modules.

\n" + }, + "maintenance_actions": [] + }, { + "details": { + "mitigation_conf": "no", + "sysctl_live_ack_limit": "100", + "package_name": "kernel", + "sysctl_live_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100", + "error_key": "KERNEL_CVE_2016_5696_URGENT", + "vulnerable_kernel": "3.10.0-123.el7", + "sysctl_conf_ack_limit": "100", + "sysctl_conf_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit=100", + "mitigation_live": "no" + }, + "id": 766342155, + "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the RFC 5961 challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n", + "generic_html": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

Red Hat recommends that you update the kernel package or apply mitigations.

\n", + "more_info_html": "\n", + "severity": "ERROR", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", + "error_key": "KERNEL_CVE_2016_5696_URGENT", + "plugin": "CVE_2016_5696_kernel", + "description": "Kernel vulnerable to man-in-the-middle via payload injection", + "summary": "A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the [RFC 5961](https://tools.ietf.org/html/rfc5961) challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.", + "generic": "A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack ([RFC 5961](https://tools.ietf.org/html/rfc5961)) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack. \n\nRed Hat recommends that you update the kernel package or apply mitigations.", + "reason": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

This host is affected because it is running kernel 3.10.0-123.el7.

\n

Your currently loaded kernel configuration contains this setting:

\n
net.ipv4.tcp_challenge_ack_limit = 100\n

Your currently stored kernel configuration is:

\n
net.ipv4.tcp_challenge_ack_limit=100\n

There is currently no mitigation applied and your system is vulnerable.

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2016-5696](https://access.redhat.com/security/cve/CVE-2016-5696)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2438571", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:32.000Z", + "rec_impact": 4, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n

or

\n

Alternatively, this issue can be addressed by applying the following mitigations until the machine is restarted with the updated kernel package.

\n

Edit /etc/sysctl.conf file as root, add the mitigation configuration, and reload the kernel configuration:

\n
# echo "net.ipv4.tcp_challenge_ack_limit = 2147483647" >> /etc/sysctl.conf \n# sysctl -p\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 56045, + "maintenance_plan": { + "maintenance_id": 15875, + "name": "Payload Injection Fix", + "description": "", + "start": "2017-06-01T02:00:00.000Z", + "end": "2017-06-01T03:00:00.000Z", + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }, { + "done": false, + "id": 61575, + "maintenance_plan": { + "maintenance_id": 16825, + "name": "Summit 2017 Plan 1", + "description": "", + "start": null, + "end": null, + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }, { + "done": false, + "id": 66175, + "maintenance_plan": { + "maintenance_id": 19435, + "name": null, + "description": null, + "start": null, + "end": null, + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }, { + "done": false, + "id": 71015, + "maintenance_plan": { + "maintenance_id": 19835, + "name": "Optum Payload", + "description": "", + "start": "2017-05-27T02:00:00.000Z", + "end": "2017-05-27T03:00:00.000Z", + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }] + }, { + "details": { + "mod_loading_disabled": null, + "package_name": "kernel", + "error_key": "KERNEL_CVE_2017_2636", + "vulnerable_kernel": "3.10.0-123.el7", + "mod_loaded": null, + "mitigation_info": false + }, + "id": 766342165, + "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", + "system_id": "f31b6265939d4a8492d3ce9655dc94be", + "account_number": "540155", + "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", + "date": "2017-05-25T14:01:19.000Z", + "rule": { + "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as CVE-2017-2636.

\n", + "generic_html": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.

\n

An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.

\n

An attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.

\n

Red Hat recommends that you use the proposed mitigation to disable the N_HDLC module.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", + "error_key": "KERNEL_CVE_2017_2636", + "plugin": "CVE_2017_2636_kernel", + "description": "Kernel vulnerable to local privilege escalation via n_hdlc module (CVE-2017-2636)", + "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636).\n", + "generic": "A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.\n\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.\n\nAn attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.\n\nRed Hat recommends that you use the proposed mitigation to disable the N_HDLC module.\n", + "reason": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation.

\n

This host is affected because it is running kernel 3.10.0-123.el7.

\n", + "type": null, + "more_info": "* For more information about the flaw, see [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636) and [CVE-2017-2636 article](https://access.redhat.com/security/vulnerabilities/CVE-2017-2636).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "active": true, + "node_id": null, + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": null, + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends updating the kernel package and rebooting the system.

\n
# yum update kernel\n# reboot\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 58335, + "maintenance_plan": { + "maintenance_id": 16545, + "name": "Insights Summit 2017 - n_HDLC", + "description": "", + "start": "2017-05-06T02:00:00.000Z", + "end": "2017-05-06T03:00:00.000Z", + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }, { + "done": false, + "id": 61895, + "maintenance_plan": { + "maintenance_id": 16835, + "name": "Summit 2017 N_HDLC", + "description": "", + "start": null, + "end": null, + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }, { + "done": false, + "id": 66225, + "maintenance_plan": { + "maintenance_id": 19445, + "name": "Seattle's Best Plan", + "description": null, + "start": null, + "end": null, + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }, { + "done": false, + "id": 71075, + "maintenance_plan": { + "maintenance_id": 19845, + "name": "Optum N_HDLC FIX", + "description": null, + "start": null, + "end": null, + "created_by": "rhn-support-wnix", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null + } + }] + }] + }; + // { + // "stale_ack": true, + // "unregistered_at": null, + // "product": "rhel", + // "display_name": null, + // "parent_id": null, + // "last_check_in": "2017-05-11T13:24:40.000Z", + // "created_at": "2017-05-11T13:24:26.000Z", + // "hostname": "37c2ce54c4ec", + // "remote_branch": null, + // "updated_at": "2017-05-12T18:12:40.000Z", + // "reports": [ + // { + // "maintenance_actions": [], + // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", + // "rule": { + // "retired": false, + // "rec_likelihood": 2, + // "ansible": false, + // "summary": "Third party components, or installation of a distribution that is not Red Hat Enterprise Linux can lead to difficulties in supporting your system.", + // "category": "Stability", + // "severity": "INFO", + // "generic": "These hosts appear to be running a version of Linux other than Red Hat Enterprise Linux, or has components from a third party distribution, in some circumstances, this can mean a support case will be rejected.\n\nYou should confirm that this machine is installed with RHEL and review the [Production Support Scope of Coverage](https://access.redhat.com/support/offerings/production/soc)", + // "type": null, + // "more_info": null, + // "description": "Other Linux release detected", + // "rec_impact": 1, + // "reboot_required": false, + // "ansible_mitigation": false, + // "reason": "

This host appears to be running a version of Linux other than Red Hat Enterprise Linux, or has components from a third party distribution:

\n\n\n", + // "node_id": "1067", + // "generic_html": "

These hosts appear to be running a version of Linux other than Red Hat Enterprise Linux, or has components from a third party distribution, in some circumstances, this can mean a support case will be rejected.

\n

You should confirm that this machine is installed with RHEL and review the Production Support Scope of Coverage

\n", + // "active": true, + // "more_info_html": "", + // "plugin": "other_linux_system", + // "summary_html": "

Third party components, or installation of a distribution that is not Red Hat Enterprise Linux can lead to difficulties in supporting your system.

\n", + // "error_key": "OTHER_LINUX_SYSTEM", + // "publish_date": "2016-10-31T04:08:35.000Z", + // "resolution": "

Another version of Linux installed or running on the system can present difficulties when investigating issues with Red Hat Global Support Services.

\n

Depending on the situation, GSS may require you to demonstrate the problem on a RHEL only installation or be unable to assist and reject your case in accordance with the Production Support Scope of Coverage.

\n", + // "rule_id": "other_linux_system|OTHER_LINUX_SYSTEM", + // "ansible_fix": false + // }, + // "id": 730932995, + // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", + // "details": { + // "kernel": "4.4.47-boot2docker", + // "other_linux": "Unknown kernel", + // "error_key": "OTHER_LINUX_SYSTEM" + // }, + // "date": "2017-05-11T13:24:40.000Z", + // "rule_id": "other_linux_system|OTHER_LINUX_SYSTEM", + // "account_number": "1460290" + // }, + // { + // "maintenance_actions": ["PLAN: Tonic lab", "PLAN: foobar"], + // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", + // "rule": { + // "retired": false, + // "rec_likelihood": 3, + // "ansible": false, + // "summary": "During boot time, the system runs a file system check against all devices in the `/etc/fstab` file. If the file system type specified in `/etc/fstab` is not the same as the output of the `mount` command, or the device specified in `etc/fstab` does not exist, the system will not boot successfully.\n", + // "category": "Availability", + // "severity": "ERROR", + // "generic": "During boot time, the system runs a file system check against all devices in the `/etc/fstab` file. If the file system type specified in `/etc/fstab` is not the same as the output of the `mount` command, or the device specified in `etc/fstab` does not exist, the system will not boot successfully.\n", + // "type": "rhel", + // "more_info": null, + // "description": "System will not reboot successfully when there is misconfiguration in /etc/fstab", + // "rec_impact": 3, + // "reboot_required": false, + // "ansible_mitigation": false, + // "reason": "

This host will not reboot successfully when there is no entry in /etc/fstab.

\n", + // "node_id": "23769", + // "generic_html": "

During boot time, the system runs a file system check against all devices in the /etc/fstab file. If the file system type specified in /etc/fstab is not the same as the output of the mount command, or the device specified in etc/fstab does not exist, the system will not boot successfully.

\n", + // "active": true, + // "more_info_html": "", + // "plugin": "sanity_check_fstab", + // "summary_html": "

During boot time, the system runs a file system check against all devices in the /etc/fstab file. If the file system type specified in /etc/fstab is not the same as the output of the mount command, or the device specified in etc/fstab does not exist, the system will not boot successfully.

\n", + // "error_key": "CHECK_FSTAB_ENTRY_ERROR", + // "publish_date": "2017-05-04T00:00:00.000Z", + // "resolution": "

To make sure the system can reboot correctly, Red Hat recommends that you add the necessary entries in /etc/fstab.

\n", + // "rule_id": "sanity_check_fstab|CHECK_FSTAB_ENTRY_ERROR", + // "ansible_fix": false + // }, + // "id": 730933025, + // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", + // "details": { + // "fstab_is_empty": "True", + // "error_key": "CHECK_FSTAB_ENTRY_ERROR" + // }, + // "date": "2017-05-11T13:24:40.000Z", + // "rule_id": "sanity_check_fstab|CHECK_FSTAB_ENTRY_ERROR", + // "account_number": "1460290" + // }, + // { + // "maintenance_actions": [], + // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", + // "rule": { + // "retired": false, + // "rec_likelihood": 2, + // "ansible": true, + // "summary": "The grub's configuration file is not getting updated after installing new kernel when symlink missed.\n", + // "category": "Stability", + // "severity": "WARN", + // "generic": "When a new kernel is installed, the installation process updates the grub file under /etc directory which is a symlink to the grub file under /boot directory. If the symlink is deleted and a new regular file is created, the update to the new grub file under /etc directory will not be reflected to the grub file under /boot directory. \n\nFor RHEL6\n* No UEFI: /etc/grub.conf --> /boot/grub/grub.conf\n* With UEFI: /etc/grub.conf --> /boot/efi/EFI/redhat/grub.conf\n\nFor RHEL7\n* No UEFI: /etc/grub2.cfg --> /boot/grub2/grub.cfg\n* With UEFI: /etc/grub2.cfg --> /boot/efi/EFI/redhat/grub.cfg\n", + // "type": null, + // "more_info": null, + // "description": "The grub's configuration file is not getting updated after installing new kernel when symlink missed", + // "rec_impact": 3, + // "reboot_required": false, + // "ansible_mitigation": false, + // "reason": "

The symlink of grub configuration under "/etc" on this host was deleted or\nremoved mistakenly. \nHowever, it should be a symlink to the /boot/grub/grub.conf file.

\n", + // "node_id": "770663", + // "generic_html": "

When a new kernel is installed, the installation process updates the grub file under /etc directory which is a symlink to the grub file under /boot directory. If the symlink is deleted and a new regular file is created, the update to the new grub file under /etc directory will not be reflected to the grub file under /boot directory.

\n

For RHEL6

\n\n

For RHEL7

\n\n", + // "active": true, + // "more_info_html": "", + // "plugin": "missing_grub_symlink", + // "summary_html": "

The grub's configuration file is not getting updated after installing new kernel when symlink missed.

\n", + // "error_key": "MISSED_GRUB_SYMLINK_ISSUE", + // "publish_date": "2016-10-31T04:08:31.000Z", + // "resolution": "

To resolve the issue, Red Hat recommends that you complete the following steps:

\n
    \n
  1. Update the /boot/grub/grub.conf file content.
    2. \n\n# cp /etc/grub.conf /boot/grub/grub.conf\n\n
  2. Verify the /boot/grub/grub.conf file has been updated with all the entries.
    3. \n
  3. Remove the /etc/grub.conf file:
    4. \n\n# rm -f /etc/grub.conf\n\n
  4. Create a new symlink to the /boot/grub/grub.conf file:
    5. \n\n# ln -s /boot/grub/grub.conf /etc/grub.conf\n\n
  5. Verify the symlink:
    6. \n\n# ls -l /etc/grub.conf\nlrwxrwxrwx. 1 root root 22 Jan 14 2016 /etc/grub.conf -> ../boot/grub/grub.conf\n\n
\n", + // "rule_id": "missing_grub_symlink|MISSED_GRUB_SYMLINK_ISSUE", + // "ansible_fix": true + // }, + // "id": 730933035, + // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", + // "details": { + // "grub_name": "grub.conf", + // "grub_fullname": "/boot/grub/grub.conf", + // "grub_file": "no", + // "error_key": "MISSED_GRUB_SYMLINK_ISSUE" + // }, + // "date": "2017-05-11T13:24:40.000Z", + // "rule_id": "missing_grub_symlink|MISSED_GRUB_SYMLINK_ISSUE", + // "account_number": "1460290" + // }, + // { + // "maintenance_actions": [], + // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", + // "rule": { + // "retired": false, + // "rec_likelihood": 1, + // "ansible": false, + // "summary": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", + // "category": "Stability", + // "severity": "INFO", + // "generic": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", + // "type": null, + // "more_info": null, + // "description": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale", + // "rec_impact": 2, + // "reboot_required": false, + // "ansible_mitigation": false, + // "reason": "

This system running as a non-NTP system is following the UTC timescale. In this situation, manual correction is required to avoid system clock inaccuracy when a leap second event happens.

\n", + // "node_id": "1465713", + // "generic_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", + // "active": true, + // "more_info_html": "", + // "plugin": "tzdata_need_upgrade", + // "summary_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", + // "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", + // "publish_date": null, + // "resolution": "

The system clock of this system needs manual correction when a leap second event happens. For example:

\n
\n\n# date -s \"20170101 HH:MM:SS\"\n\n
\n\n

You need to replace "HH:MM:SS" with the accurate time after the leap second occurs.

\n", + // "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", + // "ansible_fix": false + // }, + // "id": 730933045, + // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", + // "details": { + // "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION" + // }, + // "date": "2017-05-11T13:24:40.000Z", + // "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", + // "account_number": "1460290" + // } + // ], + // "isCheckingIn": false, + // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", + // "account_number": "1460290", + // "system_type_id": 105, + // "toString": "37c2ce54c4ec", + // "type": "machine", + // "remote_leaf": null + // }; + return data; + }] } }; diff --git a/awx/ui/client/src/inventories/insights/main.js b/awx/ui/client/src/inventories/insights/main.js index 75e05fd1eb..44573e6c9a 100644 --- a/awx/ui/client/src/inventories/insights/main.js +++ b/awx/ui/client/src/inventories/insights/main.js @@ -5,7 +5,9 @@ *************************************************/ import controller from './insights.controller'; +import planFilter from './plan-filter'; export default angular.module('insightsDashboard', []) + .filter('planFilter', planFilter) .controller('InsightsController', controller); diff --git a/awx/ui/client/src/inventories/insights/plan-filter.js b/awx/ui/client/src/inventories/insights/plan-filter.js new file mode 100644 index 0000000000..ba64cd6894 --- /dev/null +++ b/awx/ui/client/src/inventories/insights/plan-filter.js @@ -0,0 +1,15 @@ +/************************************************* + * Copyright (c) 2017 Ansible, Inc. + * + * All Rights Reserved + *************************************************/ + + export default function(){ + return function(input) { + if(input === null || input === undefined || Array.isArray(input) && input.length === 0){ + return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS"; + } else { + return `${input[0].maintenance_plan.name} (${input[0].id})`; + } + }; + } diff --git a/awx/ui/client/src/shared/branding/colors.default.less b/awx/ui/client/src/shared/branding/colors.default.less index b6216f524e..1f7ca0b2d0 100644 --- a/awx/ui/client/src/shared/branding/colors.default.less +++ b/awx/ui/client/src/shared/branding/colors.default.less @@ -23,6 +23,7 @@ @egrey: #EEEEEE; @cgrey: #CCCCCC; @f7grey: #F7F7F7; +@insights-yellow: #dedc4f; @default-warning: #F0AD4E; diff --git a/awx/ui/client/src/templates/list/templates-list.controller.js b/awx/ui/client/src/templates/list/templates-list.controller.js index 5cd54f1347..dc6467b834 100644 --- a/awx/ui/client/src/templates/list/templates-list.controller.js +++ b/awx/ui/client/src/templates/list/templates-list.controller.js @@ -77,10 +77,7 @@ export default ['$scope', '$rootScope', $scope[list.name] = $scope[`${list.iterator}_dataset`].results; }); }); - $scope.addJobTemplate = function() { - $state.go('jobTemplates.add'); - }; - + $scope.editJobTemplate = function(template) { if(template) { if(template.type && (template.type === 'Job Template' || template.type === 'job_template')) { From 289835f01b0a24a6f772de0c11e6205952305778 Mon Sep 17 00:00:00 2001 From: Jared Tabor Date: Wed, 31 May 2017 10:54:51 -0700 Subject: [PATCH 2/7] adding insights credential to inventory form in order to create an insights inventory --- .../standard/edit/inventory-edit.controller.js | 1 + .../client/src/inventories/standard/inventory.form.js | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js index 205b483779..5b0c19195c 100644 --- a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js +++ b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js @@ -29,6 +29,7 @@ function InventoriesEdit($scope, $location, $scope = angular.extend($scope, inventoryData); + $scope.credential_name = (inventoryData.summary_fields.credential && inventoryData.summary_fields.credential.name) ? inventoryData.summary_fields.credential.name : null; $scope.organization_name = inventoryData.summary_fields.organization.name; $scope.inventory_variables = inventoryData.variables === null || inventoryData.variables === '' ? '---' : ParseVariableString(inventoryData.variables); $scope.parseType = 'yaml'; diff --git a/awx/ui/client/src/inventories/standard/inventory.form.js b/awx/ui/client/src/inventories/standard/inventory.form.js index 08e3d8df48..b6fa892974 100644 --- a/awx/ui/client/src/inventories/standard/inventory.form.js +++ b/awx/ui/client/src/inventories/standard/inventory.form.js @@ -68,6 +68,17 @@ function(i18n, InventoryCompletedJobsList) { ngDisabled: '!(inventory_obj.summary_fields.user_capabilities.edit || canAdd) || !canEditOrg', awLookupWhen: '(inventory_obj.summary_fields.user_capabilities.edit || canAdd) && canEditOrg' }, + insights_credential: { + label: i18n._('Insights Credential'), + type: 'lookup', + list: 'CredentialList', + basePath: 'credentials', + sourceModel: 'credential', + sourceField: 'name', + search: { + credential_type: 13 //insights + } + }, inventory_variables: { realName: 'variables', label: i18n._('Variables'), From e2abbafa1ea6319a8c62090f89f5505df7dfc395 Mon Sep 17 00:00:00 2001 From: Jared Tabor Date: Wed, 31 May 2017 14:32:09 -0700 Subject: [PATCH 3/7] adding insights row icon per host as well as hide the insights tab if a host is not an insights host. --- awx/ui/client/src/inventories/hosts/host.form.js | 3 ++- awx/ui/client/src/inventories/hosts/hosts.partial.html | 3 +++ .../src/inventories/hosts/list/host-list.controller.js | 3 +++ .../inventories/related-hosts/list/host-list.controller.js | 3 +++ .../src/inventories/related-hosts/related-host.form.js | 3 ++- .../src/inventories/related-hosts/related-host.list.js | 7 +++++++ awx/ui/client/src/shared/form-generator.js | 1 + awx/ui/client/src/shared/generator-helpers.js | 3 +++ 8 files changed, 24 insertions(+), 2 deletions(-) diff --git a/awx/ui/client/src/inventories/hosts/host.form.js b/awx/ui/client/src/inventories/hosts/host.form.js index 6f45b7b338..9cfec370d2 100644 --- a/awx/ui/client/src/inventories/hosts/host.form.js +++ b/awx/ui/client/src/inventories/hosts/host.form.js @@ -125,7 +125,8 @@ function(i18n) { awToolTip: i18n._('Please save before viewing Insights'), dataPlacement: 'top', title: i18n._('Insights'), - skipGenerator: true + skipGenerator: true, + ngIf: 'host.insights_system_id!==null' } } }; diff --git a/awx/ui/client/src/inventories/hosts/hosts.partial.html b/awx/ui/client/src/inventories/hosts/hosts.partial.html index bdc9a030c8..1f11db98bb 100644 --- a/awx/ui/client/src/inventories/hosts/hosts.partial.html +++ b/awx/ui/client/src/inventories/hosts/hosts.partial.html @@ -74,6 +74,9 @@
+ diff --git a/awx/ui/client/src/inventories/hosts/list/host-list.controller.js b/awx/ui/client/src/inventories/hosts/list/host-list.controller.js index e906052a79..d88bfadeb3 100644 --- a/awx/ui/client/src/inventories/hosts/list/host-list.controller.js +++ b/awx/ui/client/src/inventories/hosts/list/host-list.controller.js @@ -65,6 +65,9 @@ function HostsList($scope, HostsList, $rootScope, GetBasePath, $scope.editHost = function(id){ $state.go('hosts.edit', {host_id: id}); }; + $scope.goToInsights = function(id){ + $state.go('hosts.edit.insights', {host_id:id}); + }; $scope.deleteHost = function(id, name){ var body = '
Are you sure you want to permanently delete the host below from the inventory?
' + $filter('sanitize')(name) + '
'; var action = function(){ diff --git a/awx/ui/client/src/inventories/related-hosts/list/host-list.controller.js b/awx/ui/client/src/inventories/related-hosts/list/host-list.controller.js index b02c9cbf43..3af8c0c6eb 100644 --- a/awx/ui/client/src/inventories/related-hosts/list/host-list.controller.js +++ b/awx/ui/client/src/inventories/related-hosts/list/host-list.controller.js @@ -86,6 +86,9 @@ export default ['$scope', 'ListDefinition', '$rootScope', 'GetBasePath', $scope.editHost = function(id){ $state.go('inventories.edit.hosts.edit', {host_id: id}); }; + $scope.goToInsights = function(id){ + $state.go('inventories.edit.hosts.edit.insights', {host_id:id}); + }; $scope.deleteHost = function(id, name){ var body = '
Are you sure you want to permanently delete the host below from the inventory?
' + $filter('sanitize')(name) + '
'; var action = function(){ diff --git a/awx/ui/client/src/inventories/related-hosts/related-host.form.js b/awx/ui/client/src/inventories/related-hosts/related-host.form.js index 941f98d995..0ad88d8835 100644 --- a/awx/ui/client/src/inventories/related-hosts/related-host.form.js +++ b/awx/ui/client/src/inventories/related-hosts/related-host.form.js @@ -125,7 +125,8 @@ function(i18n) { awToolTip: i18n._('Please save before viewing Insights'), dataPlacement: 'top', title: i18n._('Insights'), - skipGenerator: true + skipGenerator: true, + ngIf: 'host.insights_system_id!==null' } } }; diff --git a/awx/ui/client/src/inventories/related-hosts/related-host.list.js b/awx/ui/client/src/inventories/related-hosts/related-host.list.js index c806fbaa58..7e1e114bad 100644 --- a/awx/ui/client/src/inventories/related-hosts/related-host.list.js +++ b/awx/ui/client/src/inventories/related-hosts/related-host.list.js @@ -50,6 +50,13 @@ export default { fieldActions: { columnClass: 'col-lg-6 col-md-4 col-sm-4 col-xs-5 text-right', + insights: { + ngClick: "goToInsights(host.id)", + icon: 'fa-info', + awToolTip: 'View Insights Data', + dataPlacement: 'top', + ngShow: 'host.insights_system_id' + }, copy: { mode: 'all', ngClick: "copyMoveHost(host.id)", diff --git a/awx/ui/client/src/shared/form-generator.js b/awx/ui/client/src/shared/form-generator.js index 96f0457fae..cf6b300ba5 100644 --- a/awx/ui/client/src/shared/form-generator.js +++ b/awx/ui/client/src/shared/form-generator.js @@ -1507,6 +1507,7 @@ angular.module('FormGenerator', [GeneratorHelpers.name, 'Utilities', listGenerat collection = this.form.related[itm]; html += `
Date: Wed, 31 May 2017 16:39:08 -0700 Subject: [PATCH 4/7] updates after feedback from ian hands more feedback from ian hands setting insights credential name if it exists for an inventory --- .../insights/insights.controller.js | 4 +- .../insights/insights.partial.html | 6 +- .../inventories/insights/insights.route.js | 865 +----------------- .../src/inventories/insights/plan-filter.js | 7 +- .../edit/inventory-edit.controller.js | 2 +- 5 files changed, 27 insertions(+), 857 deletions(-) diff --git a/awx/ui/client/src/inventories/insights/insights.controller.js b/awx/ui/client/src/inventories/insights/insights.controller.js index 0db15cf70c..74bd1a7652 100644 --- a/awx/ui/client/src/inventories/insights/insights.controller.js +++ b/awx/ui/client/src/inventories/insights/insights.controller.js @@ -4,7 +4,7 @@ * All Rights Reserved *************************************************/ -export default [ 'data', '$scope', 'moment', '$state', +export default [ 'InsightsData', '$scope', 'moment', '$state', function (data, $scope, moment, $state) { function init() { @@ -73,7 +73,7 @@ function (data, $scope, moment, $state) { } }; $scope.viewDataInInsights = function(){ - window.open('https://access.redhat.com/insights/info/', '_blank'); + window.open(`https://access.redhat.com/insights/inventory?machine=${$scope.$parent.host.insights_system_id}`, '_blank'); }; $scope.remediateInventory = function(){ $state.go('templates.addJobTemplate'); diff --git a/awx/ui/client/src/inventories/insights/insights.partial.html b/awx/ui/client/src/inventories/insights/insights.partial.html index d1e9fa5414..201f30171c 100644 --- a/awx/ui/client/src/inventories/insights/insights.partial.html +++ b/awx/ui/client/src/inventories/insights/insights.partial.html @@ -1,5 +1,5 @@
+ ng-show="isCheckingIn=false"> This machine has not checked in with Insights in {{last_check_in}} hours
@@ -68,7 +68,9 @@ {{report.rule.category}}
{{report.rule.summary}}
-
+
+
+
diff --git a/awx/ui/client/src/inventories/insights/insights.route.js b/awx/ui/client/src/inventories/insights/insights.route.js index 8bb744b116..3d7cf2c664 100644 --- a/awx/ui/client/src/inventories/insights/insights.route.js +++ b/awx/ui/client/src/inventories/insights/insights.route.js @@ -13,854 +13,21 @@ export default { } }, resolve: { - data: [ function(){ - var data = - { - "toString": "ansible1.tronik-insights440.atl.redhat.com", - "isCheckingIn": true, - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "display_name": null, - "remote_branch": null, - "remote_leaf": null, - "account_number": "540155", - "hostname": "ansible1.tronik-insights440.atl.redhat.com", - "parent_id": null, - "system_type_id": 105, - "last_check_in": "2017-05-25T14:01:19.000Z", - "stale_ack": false, - "type": "machine", - "product": "rhel", - "created_at": "2016-07-26T23:31:13.000Z", - "updated_at": "2017-05-25T14:01:19.000Z", - "unregistered_at": null, - "reports": [{ - "details": { - "vulnerable_setting": "hosts: files dns", - "affected_package": "glibc-2.17-55.el7", - "error_key": "GLIBC_CVE_2015_7547" - }, - "id": 709784455, - "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

A critical security flaw in the glibc library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.

\n", - "generic_html": "

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", - "more_info_html": "\n", - "severity": "ERROR", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", - "error_key": "GLIBC_CVE_2015_7547", - "plugin": "CVE_2015_7547_glibc", - "description": "Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)", - "summary": "A critical security flaw in the `glibc` library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.", - "generic": "The `glibc` library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the `libresolv` part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when `libresolv` is called from the nss_dns NSS service module. This flaw is known as [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).", - "reason": "

This host is vulnerable because it has vulnerable package glibc-2.17-55.el7 installed and DNS is enabled in /etc/nsswitch.conf:

\n
hosts:      files dns\n

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2168451", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:35.000Z", - "rec_impact": 4, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends updating glibc and restarting the affected system:

\n
# yum update glibc\n# reboot\n

Alternatively, you can restart all affected services, but because this vulnerability affects a large amount of applications on the system, the best solution is to restart the system.

\n" - }, - "maintenance_actions": [] - }, { - "details": { - "affected_kernel": "3.10.0-123.el7", - "error_key": "KERNEL_CVE-2016-0728" - }, - "id": 709784465, - "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as CVE-2016-0728.

\n", - "generic_html": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

Red Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", - "error_key": "KERNEL_CVE-2016-0728", - "plugin": "CVE_2016_0728_kernel", - "description": "Kernel key management subsystem vulnerable to local privilege escalation (CVE-2016-0728)", - "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).", - "generic": "A vulnerability in the Linux kernel rated **Important** was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n\nRed Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the [systemtap patch](https://bugzilla.redhat.com/attachment.cgi?id=1116284&action=edit) to update your running kernel.", - "reason": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

The host is vulnerable as it is running kernel-3.10.0-123.el7.

\n", - "type": null, - "more_info": "* For more information about the flaws and versions of the package that are vulnerable see [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2130791", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:37.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update kernel and reboot. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n
# yum update kernel\n# reboot\n-or-\n# debuginfo-install kernel     (or equivalent)\n# stap -vgt -Gfix_p=1 -Gtrace_p=0 cve20160728e.stp\n
" - }, - "maintenance_actions": [] - }, { - "details": { - "processes_listening_int": [], - "processes_listening_ext": [], - "error_key": "OPENSSL_CVE_2016_0800_SPECIAL_DROWN", - "processes_listening": [], - "processes_names": [], - "vulnerable_package": "openssl-libs-1.0.1e-34.el7" - }, - "id": 709784475, - "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_SPECIAL_DROWN", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned CVE-2016-0800 and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.

\n", - "generic_html": "

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_SPECIAL_DROWN", - "error_key": "OPENSSL_CVE_2016_0800_SPECIAL_DROWN", - "plugin": "CVE_2016_0800_openssl_drown", - "description": "OpenSSL vulnerable to very efficient session decryption (CVE-2016-0800/Special DROWN)", - "summary": "A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800) and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.", - "generic": "A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.\n\nA more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see [CVE-2015-0293](https://access.redhat.com/security/cve/CVE-2015-0293)).", - "reason": "

This host is vulnerable because it has vulnerable package openssl-libs-1.0.1e-34.el7 installed.

\n

This package does not have a patch for CVE-2015-0293 applied, which makes the system especially vulnerable. This is known as Special DROWN. An attacker can use this flaw to perform active man-in-the-middle (MITM) attacks and impersonate a TLS server to connecting TLS client in a matter of minutes.

\n

Fortunately, it does not seem to run any processes that use OpenSSL libraries.

\n

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2174451", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:32.000Z", - "rec_impact": 3, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update openssl and restart the affected system:

\n
# yum update openssl\n# reboot\n

Alternatively, you can restart all affected services (that is, the ones linked to the openssl library), especially those listening on public IP addresses.

\n" - }, - "maintenance_actions": [] - }, { - "details": { - "vulnerable_kernel": "3.10.0-123.el7", - "package_name": "kernel", - "error_key": "KERNEL_CVE_2016_5195" - }, - "id": 709784485, - "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.

\n", - "generic_html": "

A race condition was found in the way Linux kernel's memory subsystem handled breakage of the the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.

\n

A process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild.

\n

Red Hat recommends that you update the kernel package or apply mitigations.

\n", - "more_info_html": "\n", - "severity": "CRITICAL", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195", - "error_key": "KERNEL_CVE_2016_5195", - "plugin": "CVE_2016_5195_kernel", - "description": "Kernel vulnerable to privilege escalation via permission bypass (CVE-2016-5195)", - "summary": "A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.", - "generic": "A race condition was found in the way Linux kernel's memory subsystem handled breakage of the the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.\n\nA process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild. \n\nRed Hat recommends that you update the kernel package or apply mitigations.", - "reason": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally have read-only access to and thus increase their privileges on the system.

\n

This host is affected because it is running kernel 3.10.0-123.el7.

\n

There is currently no mitigation applied and your system is vulnerable.

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2016-5195](https://access.redhat.com/security/cve/CVE-2016-5195)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2706661", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:33.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n

or

\n

Alternatively, this issue can be addressed by applying mitigations until the machine is restarted with the updated kernel package.

\n

Please refer to the Resolve Tab in the vulnerability article for information about the mitigation and the latest information.

\n" - }, - "maintenance_actions": [{ - "done": false, - "id": 29885, - "maintenance_plan": { - "maintenance_id": 12195, - "name": null, - "description": null, - "start": null, - "end": null, - "created_by": "rhn-support-jnewton", - "silenced": false, - "hidden": true, - "suggestion": "proposed", - "remote_branch": null - } - }] - }, { - "details": { - "package": "bash-4.2.45-5.el7", - "error_key": "VULNERABLE_BASH_DETECTED" - }, - "id": 709784505, - "rule_id": "bash_injection|VULNERABLE_BASH_DETECTED", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

In September 2014, an exploitable bug known as Shellshock was discovered in commonly shipped versions of the bash shell.

\n", - "generic_html": "

Hosts running earlier versions of bash are affected by the code injection vulnerability known as Shellshock.

\n", - "more_info_html": "

For further information about this critical vulnerability, see:

\n\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": true, - "ansible_mitigation": false, - "rule_id": "bash_injection|VULNERABLE_BASH_DETECTED", - "error_key": "VULNERABLE_BASH_DETECTED", - "plugin": "bash_injection", - "description": "Bash locally vulnerable via environment variables (CVE-2014-6271, CVE-2014-7169/Shellshock)", - "summary": "In September 2014, an exploitable bug known as Shellshock was discovered in commonly shipped versions of the bash shell.", - "generic": "Hosts running earlier versions of `bash` are affected by the code injection vulnerability known as **Shellshock**.", - "reason": "

This host is running a version of bash that is affected by the code injection vulnerability known as Shellshock.

\n

The package affected is bash-4.2.45-5.el7.

\n", - "type": null, - "more_info": "For further information about this **critical** vulnerability, see:\n* [Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)](https://access.redhat.com/articles/1200223)\n* [CVE-2014-6271](https://access.redhat.com/security/cve/CVE-2014-6271)\n* [CVE-2014-7169](https://access.redhat.com/security/cve/CVE-2014-7169)", - "active": true, - "node_id": "1200223", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:36.000Z", - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you upgrade bash immediately:

\n
# yum update bash\n
" - }, - "maintenance_actions": [] - }, { - "details": { - "detected_problem_log_perms": [{ - "log_perms_dirfilename": "/var/log/cron", - "log_perms_sensitive": true, - "log_perms_ls_line": "-rw-r--r--. 1 root root 15438 May 25 10:01 cron" - }], - "error_key": "HARDENING_LOGGING_3_LOG_PERMS" - }, - "id": 709784525, - "rule_id": "hardening_logging_log_perms|HARDENING_LOGGING_3_LOG_PERMS", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

Issues related to system logging and auditing were detected on your system. Important services are disabled or log file permissions are not secure.

\n", - "generic_html": "

Issues related to system logging and auditing were detected on your system.

\n

Red Hat recommends that the logging service rsyslog and the auditing service auditd are enabled and that log files in /var/log have secure permissions.

\n", - "more_info_html": "\n", - "severity": "INFO", - "ansible": false, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "hardening_logging_log_perms|HARDENING_LOGGING_3_LOG_PERMS", - "error_key": "HARDENING_LOGGING_3_LOG_PERMS", - "plugin": "hardening_logging_log_perms", - "description": "Decreased security in system logging permissions", - "summary": "Issues related to system logging and auditing were detected on your system. Important services are disabled or log file permissions are not secure.\n", - "generic": "Issues related to system logging and auditing were detected on your system.\n\nRed Hat recommends that the logging service `rsyslog` and the auditing service `auditd` are enabled and that log files in `/var/log` have secure permissions.\n", - "reason": "

Log files have permission issues.

\n

The following files or directories in /var/log have file permissions that differ from the default RHEL configuration and are possibly non-secure. Red Hat recommends that the file permissions be adjusted to more secure settings.

\n\n \n \n \n \n \n\n\n\n\n\n\n\n
File or directory nameDetected problemOutput from ls -l
/var/log/cronUsers other than root can read or write.-rw-r--r--. 1 root root 15438 May 25 10:01 cron
\n\n\n\n", - "type": null, - "more_info": "* [Why is `/var/log/cron` world readable in RHEL7?](https://access.redhat.com/solutions/1491573)\n* [Using the chkconfig Utility](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-services-chkconfig.html) to configure services on RHEL 6\n* [Managing System Services](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Managing_Services_with_systemd-Services.html) to configure services on RHEL 7\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "active": true, - "node_id": null, - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2017-05-16T04:08:34.000Z", - "rec_impact": 1, - "rec_likelihood": 1, - "resolution": "

Red Hat recommends that you perform the following adjustments:

\n

Fixing permission issues depends on whether there is a designated safe group on your system that has Read access to the log files. This situation might exist if you want to allow certain administrators to see the log files without becoming root. To prevent log tampering, no other user than root should have permissions to Write to the log files. (The btmp and wtmp files are owned by the utmp group but other users should still be unable to write to them.)

\n

Fix for a default RHEL configuration

\n

(No designated group for reading log files)

\n
chown root:root /var/log/cron\nchmod u=rw,g-x,o-rwx /var/log/cron\n

Fix for a configuration with a designated safe group for reading log files

\n

In the following lines, substitute the name of your designated safe group for the string safegroup:

\n
chown root:safegroup /var/log/cron\nchmod u=rw,g-x,o-rwx /var/log/cron\n
" - }, - "maintenance_actions": [] - }, { - "details": { - "filesystems": [{ - "usage": "99", - "mountpoint": "/" - }, { - "usage": "99", - "mountpoint": "/" - }], - "error_key": "FILESYSTEM_CAPACITY" - }, - "id": 709784535, - "rule_id": "filesystem_capacity|FILESYSTEM_CAPACITY", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.

\n", - "generic_html": "

File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.

\n", - "more_info_html": "

How to increase the filesystem size?\nHow do I find out what is using disk space?

\n", - "severity": "WARN", - "ansible": false, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "filesystem_capacity|FILESYSTEM_CAPACITY", - "error_key": "FILESYSTEM_CAPACITY", - "plugin": "filesystem_capacity", - "description": "Decreased stability and/or performance due to filesystem over 95% capacity", - "summary": "File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.\n", - "generic": "File systems nearing full capacity can cause performance issues because blocks must be used from different block groups. \nBesides, file systems at or exceeding capacity will have stability issues because applications will no longer be able to write to the file system.\n", - "reason": "

This host has the following file systems nearing or at capacity:

\n
    \n\n
  • Filesystem: / Usage: 99%
    • \n\n
  • Filesystem: / Usage: 99%
    • \n\n
", - "type": null, - "more_info": "[How to increase the filesystem size?](https://access.redhat.com/solutions/21820)\n[How do I find out what is using disk space?](https://access.redhat.com/solutions/1154683)\n", - "active": true, - "node_id": "1154683", - "category": "Stability", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:36.000Z", - "rec_impact": 2, - "rec_likelihood": 3, - "resolution": "

To solve the issue, Red Hat recommends that you either add more storage capacity to the identified file systems, or remove unnecessary files to reduce the current usage.\nPlease refer to more_information part for more detailed steps.

\n" - }, - "maintenance_actions": [] - }, { - "details": { - "msg": "[ 0.000000] crashkernel=auto resulted in zero bytes of reserved memory.", - "auto_with_low_ram": true, - "rhel_ver": 7, - "error_key": "CRASHKERNEL_RESERVATION_FAILED" - }, - "id": 709784555, - "rule_id": "crashkernel_reservation_failed|CRASHKERNEL_RESERVATION_FAILED", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

The crashkernel configuration has failed to produce a working kdump environment. Configuration changes must be made to enable vmcore capture.

\n", - "generic_html": "

Kdump is unable to reserve memory for the kdump kernel. The kdump service has not started and a vmcore will not be captured if the host crashes, which will make it difficult for our support technicians to determine why the machine crashed.

\n", - "more_info_html": "", - "severity": "WARN", - "ansible": false, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "crashkernel_reservation_failed|CRASHKERNEL_RESERVATION_FAILED", - "error_key": "CRASHKERNEL_RESERVATION_FAILED", - "plugin": "crashkernel_reservation_failed", - "description": "Kdump crashkernel reservation failed due to improper configuration of crashkernel parameter", - "summary": "The crashkernel configuration has failed to produce a working kdump environment. Configuration changes must be made to enable vmcore capture.\n", - "generic": "Kdump is unable to reserve memory for the kdump kernel. The kdump service has not started and a vmcore will not be captured if the host crashes, which will make it difficult for our support technicians to determine why the machine crashed.", - "reason": "

This host is unable to reserve memory for the kdump kernel:

\n
[    0.000000] crashkernel=auto resulted in zero bytes of reserved memory.\n

This means the kdump service has not started and a vmcore will not be captured if the host crashes, which will make it difficult for our support technicians to determine why the machine crashed.

\n", - "type": null, - "more_info": null, - "active": true, - "node_id": "59432", - "category": "Stability", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:33.000Z", - "rec_impact": 1, - "rec_likelihood": 3, - "resolution": "

To fix this issue, Red Hat recommends that you change the crashkernel setting in the grub.conf file.

\n

This host failed to reserved memory with auto crashkernel parameter due to low physical memory. The memory must be reserved by explicitly requesting the reservation size, for example: crashkernel=128M.

\n

For details of crashkernel setting, please refer to the Knowledge article How should the crashkernel parameter be configured for using kdump on RHEL7? to pickup the setting specifically for your host.

\n" - }, - "maintenance_actions": [] - }, { - "details": { - "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION" - }, - "id": 709784565, - "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", - "generic_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", - "more_info_html": "", - "severity": "INFO", - "ansible": false, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", - "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", - "plugin": "tzdata_need_upgrade", - "description": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale", - "summary": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", - "generic": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", - "reason": "

This system running as a non-NTP system is following the UTC timescale. In this situation, manual correction is required to avoid system clock inaccuracy when a leap second event happens.

\n", - "type": null, - "more_info": null, - "active": true, - "node_id": "1465713", - "category": "Stability", - "retired": false, - "reboot_required": false, - "publish_date": null, - "rec_impact": 2, - "rec_likelihood": 1, - "resolution": "

The system clock of this system needs manual correction when a leap second event happens. For example:

\n
\n\n# date -s \"20170101 HH:MM:SS\"\n\n
\n\n

You need to replace "HH:MM:SS" with the accurate time after the leap second occurs.

\n" - }, - "maintenance_actions": [] - }, { - "details": { - "selinux_info": true, - "package_name": "kernel", - "selinux_enforcing": true, - "selinux_can_help": true, - "minimal_selinux_policy": "selinux-policy-3.13.1-81.el7", - "selinux_enabled": true, - "vulnerable_kernel": "3.10.0-123.el7", - "active_policy": "selinux-policy-3.12.1-153.el7", - "dccp_loading_disabled": null, - "error_key": "KERNEL_CVE_2017_6074", - "enough_policy": false, - "dccp_loaded": null, - "mitigation_info": false - }, - "id": 709784575, - "rule_id": "CVE_2017_6074_kernel|KERNEL_CVE_2017_6074", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned CVE-2017-6074. An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system.

\n", - "generic_html": "

A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned CVE-2017-6074.

\n

An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. A local user could initiate a DCCP network connection on any local system network interface and then create specially-crafted memory allocations containing malicious instructions that can then either cause a crash or potentially escalate the user's privileges.

\n

An attacker must have access to a local account on the system; this is not a remote attack and it requires IPv6 support to be enabled on the system.

\n

Red Hat recommends that you update the kernel when possible. Otherwise, you can use proposed mitigation to disable DCCP. SELinux in enforcing mode can also mitigate the issue under specific circumstances.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2017_6074_kernel|KERNEL_CVE_2017_6074", - "error_key": "KERNEL_CVE_2017_6074", - "plugin": "CVE_2017_6074_kernel", - "description": "Kernel vulnerable to local privilege escalation via DCCP module (CVE-2017-6074)", - "summary": "A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned [CVE-2017-6074](https://access.redhat.com/security/cve/CVE-2017-6074). An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system.\n", - "generic": "A use-after-free flaw was found in the Linux kernel IPv6 DCCP network protocol code. It has been assigned CVE-2017-6074. \n\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. A local user could initiate a DCCP network connection on any local system network interface and then create specially-crafted memory allocations containing malicious instructions that can then either cause a crash or potentially escalate the user's privileges.\n\nAn attacker must have access to a local account on the system; this is not a remote attack and it requires IPv6 support to be enabled on the system.\n\nRed Hat recommends that you update the kernel when possible. Otherwise, you can use proposed mitigation to disable DCCP. SELinux in enforcing mode can also mitigate the issue under specific circumstances.\n", - "reason": "

A use-after-free flaw was found within the Linux kernel IPv6 DCCP network protocol code.

\n

This host is affected because:

\n
  • It is running kernel 3.10.0-123.el7.
  • SELinux policy is outdated.
\n\n\n\n\n\n\n

Your installed SELinux policy is selinux-policy-3.12.1-153.el7; however, to mitigate the issue, the earliest required version is selinux-policy-3.13.1-81.el7.

\n", - "type": null, - "more_info": "* For more information about the flaw, see [CVE-2017-6074](https://access.redhat.com/security/cve/CVE-2017-6074).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* For more information about SELinux, see [Benefits of running SELinux](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "active": true, - "node_id": null, - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": null, - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends updating the kernel package and rebooting the system.

\n
# yum update kernel\n# reboot\n

Alternatively, apply one of the following mitigations:

\n
Update SELinux policy
\n

Update your SELinux policy:

\n
# yum update selinux-policy\n

The system does not provide enough information for Insights about loaded kernel modules. It is not possible to recommend a mitigation based on kernel modules.

\n" - }, - "maintenance_actions": [] - }, { - "details": { - "mitigation_conf": "no", - "sysctl_live_ack_limit": "100", - "package_name": "kernel", - "sysctl_live_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100", - "error_key": "KERNEL_CVE_2016_5696_URGENT", - "vulnerable_kernel": "3.10.0-123.el7", - "sysctl_conf_ack_limit": "100", - "sysctl_conf_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit=100", - "mitigation_live": "no" - }, - "id": 766342155, - "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the RFC 5961 challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n", - "generic_html": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

Red Hat recommends that you update the kernel package or apply mitigations.

\n", - "more_info_html": "\n", - "severity": "ERROR", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", - "error_key": "KERNEL_CVE_2016_5696_URGENT", - "plugin": "CVE_2016_5696_kernel", - "description": "Kernel vulnerable to man-in-the-middle via payload injection", - "summary": "A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the [RFC 5961](https://tools.ietf.org/html/rfc5961) challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.", - "generic": "A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack ([RFC 5961](https://tools.ietf.org/html/rfc5961)) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack. \n\nRed Hat recommends that you update the kernel package or apply mitigations.", - "reason": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

This host is affected because it is running kernel 3.10.0-123.el7.

\n

Your currently loaded kernel configuration contains this setting:

\n
net.ipv4.tcp_challenge_ack_limit = 100\n

Your currently stored kernel configuration is:

\n
net.ipv4.tcp_challenge_ack_limit=100\n

There is currently no mitigation applied and your system is vulnerable.

\n", - "type": null, - "more_info": "* For more information about the flaw see [CVE-2016-5696](https://access.redhat.com/security/cve/CVE-2016-5696)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", - "active": true, - "node_id": "2438571", - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": "2016-10-31T04:08:32.000Z", - "rec_impact": 4, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n

or

\n

Alternatively, this issue can be addressed by applying the following mitigations until the machine is restarted with the updated kernel package.

\n

Edit /etc/sysctl.conf file as root, add the mitigation configuration, and reload the kernel configuration:

\n
# echo "net.ipv4.tcp_challenge_ack_limit = 2147483647" >> /etc/sysctl.conf \n# sysctl -p\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 56045, - "maintenance_plan": { - "maintenance_id": 15875, - "name": "Payload Injection Fix", - "description": "", - "start": "2017-06-01T02:00:00.000Z", - "end": "2017-06-01T03:00:00.000Z", - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }, { - "done": false, - "id": 61575, - "maintenance_plan": { - "maintenance_id": 16825, - "name": "Summit 2017 Plan 1", - "description": "", - "start": null, - "end": null, - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }, { - "done": false, - "id": 66175, - "maintenance_plan": { - "maintenance_id": 19435, - "name": null, - "description": null, - "start": null, - "end": null, - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }, { - "done": false, - "id": 71015, - "maintenance_plan": { - "maintenance_id": 19835, - "name": "Optum Payload", - "description": "", - "start": "2017-05-27T02:00:00.000Z", - "end": "2017-05-27T03:00:00.000Z", - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }] - }, { - "details": { - "mod_loading_disabled": null, - "package_name": "kernel", - "error_key": "KERNEL_CVE_2017_2636", - "vulnerable_kernel": "3.10.0-123.el7", - "mod_loaded": null, - "mitigation_info": false - }, - "id": 766342165, - "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", - "system_id": "f31b6265939d4a8492d3ce9655dc94be", - "account_number": "540155", - "uuid": "d195e3c5e5e6469781c4e59fa3f5ba87", - "date": "2017-05-25T14:01:19.000Z", - "rule": { - "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as CVE-2017-2636.

\n", - "generic_html": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.

\n

An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.

\n

An attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.

\n

Red Hat recommends that you use the proposed mitigation to disable the N_HDLC module.

\n", - "more_info_html": "\n", - "severity": "WARN", - "ansible": true, - "ansible_fix": false, - "ansible_mitigation": false, - "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", - "error_key": "KERNEL_CVE_2017_2636", - "plugin": "CVE_2017_2636_kernel", - "description": "Kernel vulnerable to local privilege escalation via n_hdlc module (CVE-2017-2636)", - "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636).\n", - "generic": "A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.\n\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.\n\nAn attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.\n\nRed Hat recommends that you use the proposed mitigation to disable the N_HDLC module.\n", - "reason": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation.

\n

This host is affected because it is running kernel 3.10.0-123.el7.

\n", - "type": null, - "more_info": "* For more information about the flaw, see [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636) and [CVE-2017-2636 article](https://access.redhat.com/security/vulnerabilities/CVE-2017-2636).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", - "active": true, - "node_id": null, - "category": "Security", - "retired": false, - "reboot_required": false, - "publish_date": null, - "rec_impact": 2, - "rec_likelihood": 2, - "resolution": "

Red Hat recommends updating the kernel package and rebooting the system.

\n
# yum update kernel\n# reboot\n
" - }, - "maintenance_actions": [{ - "done": false, - "id": 58335, - "maintenance_plan": { - "maintenance_id": 16545, - "name": "Insights Summit 2017 - n_HDLC", - "description": "", - "start": "2017-05-06T02:00:00.000Z", - "end": "2017-05-06T03:00:00.000Z", - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }, { - "done": false, - "id": 61895, - "maintenance_plan": { - "maintenance_id": 16835, - "name": "Summit 2017 N_HDLC", - "description": "", - "start": null, - "end": null, - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }, { - "done": false, - "id": 66225, - "maintenance_plan": { - "maintenance_id": 19445, - "name": "Seattle's Best Plan", - "description": null, - "start": null, - "end": null, - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }, { - "done": false, - "id": 71075, - "maintenance_plan": { - "maintenance_id": 19845, - "name": "Optum N_HDLC FIX", - "description": null, - "start": null, - "end": null, - "created_by": "rhn-support-wnix", - "silenced": false, - "hidden": false, - "suggestion": null, - "remote_branch": null - } - }] - }] - }; - // { - // "stale_ack": true, - // "unregistered_at": null, - // "product": "rhel", - // "display_name": null, - // "parent_id": null, - // "last_check_in": "2017-05-11T13:24:40.000Z", - // "created_at": "2017-05-11T13:24:26.000Z", - // "hostname": "37c2ce54c4ec", - // "remote_branch": null, - // "updated_at": "2017-05-12T18:12:40.000Z", - // "reports": [ - // { - // "maintenance_actions": [], - // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", - // "rule": { - // "retired": false, - // "rec_likelihood": 2, - // "ansible": false, - // "summary": "Third party components, or installation of a distribution that is not Red Hat Enterprise Linux can lead to difficulties in supporting your system.", - // "category": "Stability", - // "severity": "INFO", - // "generic": "These hosts appear to be running a version of Linux other than Red Hat Enterprise Linux, or has components from a third party distribution, in some circumstances, this can mean a support case will be rejected.\n\nYou should confirm that this machine is installed with RHEL and review the [Production Support Scope of Coverage](https://access.redhat.com/support/offerings/production/soc)", - // "type": null, - // "more_info": null, - // "description": "Other Linux release detected", - // "rec_impact": 1, - // "reboot_required": false, - // "ansible_mitigation": false, - // "reason": "

This host appears to be running a version of Linux other than Red Hat Enterprise Linux, or has components from a third party distribution:

\n
    \n
  • Other Linux: Unknown kernel
    • \n
\n
    \n
  • Kernel: 4.4.47-boot2docker
    • \n
\n", - // "node_id": "1067", - // "generic_html": "

These hosts appear to be running a version of Linux other than Red Hat Enterprise Linux, or has components from a third party distribution, in some circumstances, this can mean a support case will be rejected.

\n

You should confirm that this machine is installed with RHEL and review the Production Support Scope of Coverage

\n", - // "active": true, - // "more_info_html": "", - // "plugin": "other_linux_system", - // "summary_html": "

Third party components, or installation of a distribution that is not Red Hat Enterprise Linux can lead to difficulties in supporting your system.

\n", - // "error_key": "OTHER_LINUX_SYSTEM", - // "publish_date": "2016-10-31T04:08:35.000Z", - // "resolution": "

Another version of Linux installed or running on the system can present difficulties when investigating issues with Red Hat Global Support Services.

\n

Depending on the situation, GSS may require you to demonstrate the problem on a RHEL only installation or be unable to assist and reject your case in accordance with the Production Support Scope of Coverage.

\n", - // "rule_id": "other_linux_system|OTHER_LINUX_SYSTEM", - // "ansible_fix": false - // }, - // "id": 730932995, - // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", - // "details": { - // "kernel": "4.4.47-boot2docker", - // "other_linux": "Unknown kernel", - // "error_key": "OTHER_LINUX_SYSTEM" - // }, - // "date": "2017-05-11T13:24:40.000Z", - // "rule_id": "other_linux_system|OTHER_LINUX_SYSTEM", - // "account_number": "1460290" - // }, - // { - // "maintenance_actions": ["PLAN: Tonic lab", "PLAN: foobar"], - // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", - // "rule": { - // "retired": false, - // "rec_likelihood": 3, - // "ansible": false, - // "summary": "During boot time, the system runs a file system check against all devices in the `/etc/fstab` file. If the file system type specified in `/etc/fstab` is not the same as the output of the `mount` command, or the device specified in `etc/fstab` does not exist, the system will not boot successfully.\n", - // "category": "Availability", - // "severity": "ERROR", - // "generic": "During boot time, the system runs a file system check against all devices in the `/etc/fstab` file. If the file system type specified in `/etc/fstab` is not the same as the output of the `mount` command, or the device specified in `etc/fstab` does not exist, the system will not boot successfully.\n", - // "type": "rhel", - // "more_info": null, - // "description": "System will not reboot successfully when there is misconfiguration in /etc/fstab", - // "rec_impact": 3, - // "reboot_required": false, - // "ansible_mitigation": false, - // "reason": "

This host will not reboot successfully when there is no entry in /etc/fstab.

\n", - // "node_id": "23769", - // "generic_html": "

During boot time, the system runs a file system check against all devices in the /etc/fstab file. If the file system type specified in /etc/fstab is not the same as the output of the mount command, or the device specified in etc/fstab does not exist, the system will not boot successfully.

\n", - // "active": true, - // "more_info_html": "", - // "plugin": "sanity_check_fstab", - // "summary_html": "

During boot time, the system runs a file system check against all devices in the /etc/fstab file. If the file system type specified in /etc/fstab is not the same as the output of the mount command, or the device specified in etc/fstab does not exist, the system will not boot successfully.

\n", - // "error_key": "CHECK_FSTAB_ENTRY_ERROR", - // "publish_date": "2017-05-04T00:00:00.000Z", - // "resolution": "

To make sure the system can reboot correctly, Red Hat recommends that you add the necessary entries in /etc/fstab.

\n", - // "rule_id": "sanity_check_fstab|CHECK_FSTAB_ENTRY_ERROR", - // "ansible_fix": false - // }, - // "id": 730933025, - // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", - // "details": { - // "fstab_is_empty": "True", - // "error_key": "CHECK_FSTAB_ENTRY_ERROR" - // }, - // "date": "2017-05-11T13:24:40.000Z", - // "rule_id": "sanity_check_fstab|CHECK_FSTAB_ENTRY_ERROR", - // "account_number": "1460290" - // }, - // { - // "maintenance_actions": [], - // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", - // "rule": { - // "retired": false, - // "rec_likelihood": 2, - // "ansible": true, - // "summary": "The grub's configuration file is not getting updated after installing new kernel when symlink missed.\n", - // "category": "Stability", - // "severity": "WARN", - // "generic": "When a new kernel is installed, the installation process updates the grub file under /etc directory which is a symlink to the grub file under /boot directory. If the symlink is deleted and a new regular file is created, the update to the new grub file under /etc directory will not be reflected to the grub file under /boot directory. \n\nFor RHEL6\n* No UEFI: /etc/grub.conf --> /boot/grub/grub.conf\n* With UEFI: /etc/grub.conf --> /boot/efi/EFI/redhat/grub.conf\n\nFor RHEL7\n* No UEFI: /etc/grub2.cfg --> /boot/grub2/grub.cfg\n* With UEFI: /etc/grub2.cfg --> /boot/efi/EFI/redhat/grub.cfg\n", - // "type": null, - // "more_info": null, - // "description": "The grub's configuration file is not getting updated after installing new kernel when symlink missed", - // "rec_impact": 3, - // "reboot_required": false, - // "ansible_mitigation": false, - // "reason": "

The symlink of grub configuration under "/etc" on this host was deleted or\nremoved mistakenly. \nHowever, it should be a symlink to the /boot/grub/grub.conf file.

\n", - // "node_id": "770663", - // "generic_html": "

When a new kernel is installed, the installation process updates the grub file under /etc directory which is a symlink to the grub file under /boot directory. If the symlink is deleted and a new regular file is created, the update to the new grub file under /etc directory will not be reflected to the grub file under /boot directory.

\n

For RHEL6

\n
    \n
  • No UEFI: /etc/grub.conf --> /boot/grub/grub.conf
    • \n
  • With UEFI: /etc/grub.conf --> /boot/efi/EFI/redhat/grub.conf
    • \n
\n

For RHEL7

\n
    \n
  • No UEFI: /etc/grub2.cfg --> /boot/grub2/grub.cfg
    • \n
  • With UEFI: /etc/grub2.cfg --> /boot/efi/EFI/redhat/grub.cfg
    • \n
\n", - // "active": true, - // "more_info_html": "", - // "plugin": "missing_grub_symlink", - // "summary_html": "

The grub's configuration file is not getting updated after installing new kernel when symlink missed.

\n", - // "error_key": "MISSED_GRUB_SYMLINK_ISSUE", - // "publish_date": "2016-10-31T04:08:31.000Z", - // "resolution": "

To resolve the issue, Red Hat recommends that you complete the following steps:

\n
    \n
  1. Update the /boot/grub/grub.conf file content.
    2. \n\n# cp /etc/grub.conf /boot/grub/grub.conf\n\n
  2. Verify the /boot/grub/grub.conf file has been updated with all the entries.
    3. \n
  3. Remove the /etc/grub.conf file:
    4. \n\n# rm -f /etc/grub.conf\n\n
  4. Create a new symlink to the /boot/grub/grub.conf file:
    5. \n\n# ln -s /boot/grub/grub.conf /etc/grub.conf\n\n
  5. Verify the symlink:
    6. \n\n# ls -l /etc/grub.conf\nlrwxrwxrwx. 1 root root 22 Jan 14 2016 /etc/grub.conf -> ../boot/grub/grub.conf\n\n
\n", - // "rule_id": "missing_grub_symlink|MISSED_GRUB_SYMLINK_ISSUE", - // "ansible_fix": true - // }, - // "id": 730933035, - // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", - // "details": { - // "grub_name": "grub.conf", - // "grub_fullname": "/boot/grub/grub.conf", - // "grub_file": "no", - // "error_key": "MISSED_GRUB_SYMLINK_ISSUE" - // }, - // "date": "2017-05-11T13:24:40.000Z", - // "rule_id": "missing_grub_symlink|MISSED_GRUB_SYMLINK_ISSUE", - // "account_number": "1460290" - // }, - // { - // "maintenance_actions": [], - // "uuid": "a527f87cf47b4e60abddc0eea71d2a99", - // "rule": { - // "retired": false, - // "rec_likelihood": 1, - // "ansible": false, - // "summary": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", - // "category": "Stability", - // "severity": "INFO", - // "generic": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.\n", - // "type": null, - // "more_info": null, - // "description": "System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale", - // "rec_impact": 2, - // "reboot_required": false, - // "ansible_mitigation": false, - // "reason": "

This system running as a non-NTP system is following the UTC timescale. In this situation, manual correction is required to avoid system clock inaccuracy when a leap second event happens.

\n", - // "node_id": "1465713", - // "generic_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", - // "active": true, - // "more_info_html": "", - // "plugin": "tzdata_need_upgrade", - // "summary_html": "

System clock inaccurate when a leap second event happens in a non-NTP system without following the TAI timescale.

\n", - // "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", - // "publish_date": null, - // "resolution": "

The system clock of this system needs manual correction when a leap second event happens. For example:

\n
\n\n# date -s \"20170101 HH:MM:SS\"\n\n
\n\n

You need to replace "HH:MM:SS" with the accurate time after the leap second occurs.

\n", - // "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", - // "ansible_fix": false - // }, - // "id": 730933045, - // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", - // "details": { - // "error_key": "TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION" - // }, - // "date": "2017-05-11T13:24:40.000Z", - // "rule_id": "tzdata_need_upgrade|TZDATA_NEED_UPGRADE_INFO_NEED_MANUAL_ACTION", - // "account_number": "1460290" - // } - // ], - // "isCheckingIn": false, - // "system_id": "231dc5b8-eb0e-46d0-a959-4716108b040c", - // "account_number": "1460290", - // "system_type_id": 105, - // "toString": "37c2ce54c4ec", - // "type": "machine", - // "remote_leaf": null - // }; - return data; - }] + InsightsData: ['Rest', '$stateParams', 'GetBasePath', 'ProcessErrors', + (Rest, $stateParams, GetBasePath, ProcessErrors) => { + var path = `${GetBasePath('hosts')}${$stateParams.host_id}/insights`; + Rest.setUrl(path); + return Rest.get() + .then(function(data) { + return (data.data.insights_content); + }).catch(function(response) { + ProcessErrors(null, response.data, response.status, null, { + hdr: 'Error!', + msg: 'Failed to get insights info. GET returned status: ' + + response.status + }); + }); + } + ], } }; diff --git a/awx/ui/client/src/inventories/insights/plan-filter.js b/awx/ui/client/src/inventories/insights/plan-filter.js index ba64cd6894..40916cd5ec 100644 --- a/awx/ui/client/src/inventories/insights/plan-filter.js +++ b/awx/ui/client/src/inventories/insights/plan-filter.js @@ -5,11 +5,12 @@ *************************************************/ export default function(){ - return function(input) { - if(input === null || input === undefined || Array.isArray(input) && input.length === 0){ + return function(plan) { + if(plan === null || plan === undefined){ return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS"; } else { - return `${input[0].maintenance_plan.name} (${input[0].id})`; + let name = (plan.maintenance_plan.name === null) ? "Unnamed Plan" : plan.maintenance_plan.name; + return `${name} (${plan.maintenance_plan.maintenance_id})`; } }; } diff --git a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js index 5b0c19195c..80f457a5c6 100644 --- a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js +++ b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js @@ -29,7 +29,7 @@ function InventoriesEdit($scope, $location, $scope = angular.extend($scope, inventoryData); - $scope.credential_name = (inventoryData.summary_fields.credential && inventoryData.summary_fields.credential.name) ? inventoryData.summary_fields.credential.name : null; + $scope.credential_name = (inventoryData.summary_fields.insights_credential && inventoryData.summary_fields.insights_credential.name) ? inventoryData.summary_fields.insights_credential.name : null; $scope.organization_name = inventoryData.summary_fields.organization.name; $scope.inventory_variables = inventoryData.variables === null || inventoryData.variables === '' ? '---' : ParseVariableString(inventoryData.variables); $scope.parseType = 'yaml'; From bf52141f4f4545bdf867baf04f94eb2eb1a3810a Mon Sep 17 00:00:00 2001 From: Jared Tabor Date: Thu, 1 Jun 2017 09:58:44 -0700 Subject: [PATCH 5/7] adding "Remediate Inventory" button to inventory --- .../standard/edit/inventory-edit.controller.js | 4 ++++ awx/ui/client/src/inventories/standard/inventory.form.js | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js index 80f457a5c6..5b9d0e69bc 100644 --- a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js +++ b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js @@ -91,6 +91,10 @@ function InventoriesEdit($scope, $location, $state.go('inventories'); }; + $scope.remediateInventory = function(){ + $state.go('templates.addJobTemplate'); + }; + } export default ['$scope', '$location', diff --git a/awx/ui/client/src/inventories/standard/inventory.form.js b/awx/ui/client/src/inventories/standard/inventory.form.js index b6fa892974..ee31503dfc 100644 --- a/awx/ui/client/src/inventories/standard/inventory.form.js +++ b/awx/ui/client/src/inventories/standard/inventory.form.js @@ -188,6 +188,14 @@ function(i18n, InventoryCompletedJobsList) { skipGenerator: true }, completed_jobs: completed_jobs_object + }, + relatedButtons: { + remediate_inventory: { + ngClick: 'remediateInventory()', + ngShow: 'insights_credential!==null', + label: i18n._('Remediate Inventory'), + class: 'Form-primaryButton' + } } };}]; From 38ce6c7226a8ded4dd70a4b0f6017e849bf6c4fc Mon Sep 17 00:00:00 2001 From: Jared Tabor Date: Fri, 2 Jun 2017 10:38:53 -0700 Subject: [PATCH 6/7] Insights Cred on Project form, for insights project --- .../insights/insights.controller.js | 10 +++--- .../insights/insights.partial.html | 2 +- .../edit/inventory-edit.controller.js | 4 +-- .../inventories/standard/inventory.form.js | 2 +- .../projects/add/projects-add.controller.js | 20 +++++++++++ .../projects/edit/projects-edit.controller.js | 21 ++++++++++++ awx/ui/client/src/projects/projects.form.js | 7 ++-- .../job-template-add.controller.js | 33 ++++++++----------- awx/ui/client/src/templates/main.js | 32 +++++++++++++++++- 9 files changed, 99 insertions(+), 32 deletions(-) diff --git a/awx/ui/client/src/inventories/insights/insights.controller.js b/awx/ui/client/src/inventories/insights/insights.controller.js index 74bd1a7652..69cc50e7ed 100644 --- a/awx/ui/client/src/inventories/insights/insights.controller.js +++ b/awx/ui/client/src/inventories/insights/insights.controller.js @@ -4,8 +4,8 @@ * All Rights Reserved *************************************************/ -export default [ 'InsightsData', '$scope', 'moment', '$state', -function (data, $scope, moment, $state) { +export default [ 'InsightsData', '$scope', 'moment', '$state', 'resourceData', +function (data, $scope, moment, $state, resourceData) { function init() { @@ -20,6 +20,8 @@ function (data, $scope, moment, $state) { $scope.low_count = _.filter($scope.reports_dataset.reports, (report) => {return report.rule.severity === "INFO"; }).length; let a = moment(), b = moment($scope.reports_dataset.last_check_in); $scope.last_check_in = a.diff(b, 'hours'); + $scope.inventory = resourceData.data; + $scope.insights_credential = resourceData.data.summary_fields.insights_credential.id; } init(); @@ -75,8 +77,8 @@ function (data, $scope, moment, $state) { $scope.viewDataInInsights = function(){ window.open(`https://access.redhat.com/insights/inventory?machine=${$scope.$parent.host.insights_system_id}`, '_blank'); }; - $scope.remediateInventory = function(){ - $state.go('templates.addJobTemplate'); + $scope.remediateInventory = function(inv_id, inv_name, insights_credential){ + $state.go('templates.addJobTemplate', {inventory_id: inv_id, inventory_name:inv_name, credential_id: insights_credential}); }; $scope.formCancel = function(){ $state.go('inventories', null, {reload: true}); diff --git a/awx/ui/client/src/inventories/insights/insights.partial.html b/awx/ui/client/src/inventories/insights/insights.partial.html index 201f30171c..c161c49fea 100644 --- a/awx/ui/client/src/inventories/insights/insights.partial.html +++ b/awx/ui/client/src/inventories/insights/insights.partial.html @@ -76,6 +76,6 @@
- +
diff --git a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js index 5b9d0e69bc..70500bac10 100644 --- a/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js +++ b/awx/ui/client/src/inventories/standard/edit/inventory-edit.controller.js @@ -91,8 +91,8 @@ function InventoriesEdit($scope, $location, $state.go('inventories'); }; - $scope.remediateInventory = function(){ - $state.go('templates.addJobTemplate'); + $scope.remediateInventory = function(inv_id, inv_name, insights_credential){ + $state.go('templates.addJobTemplate', {inventory_id: inv_id, inventory_name:inv_name, credential_id: insights_credential}); }; } diff --git a/awx/ui/client/src/inventories/standard/inventory.form.js b/awx/ui/client/src/inventories/standard/inventory.form.js index ee31503dfc..468ab1112f 100644 --- a/awx/ui/client/src/inventories/standard/inventory.form.js +++ b/awx/ui/client/src/inventories/standard/inventory.form.js @@ -191,7 +191,7 @@ function(i18n, InventoryCompletedJobsList) { }, relatedButtons: { remediate_inventory: { - ngClick: 'remediateInventory()', + ngClick: 'remediateInventory(id, name, insights_credential)', ngShow: 'insights_credential!==null', label: i18n._('Remediate Inventory'), class: 'Form-primaryButton' diff --git a/awx/ui/client/src/projects/add/projects-add.controller.js b/awx/ui/client/src/projects/add/projects-add.controller.js index 2c90d6448e..7f2e4c7abc 100644 --- a/awx/ui/client/src/projects/add/projects-add.controller.js +++ b/awx/ui/client/src/projects/add/projects-add.controller.js @@ -121,6 +121,7 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', if ($scope.scm_type.value) { switch ($scope.scm_type.value) { case 'git': + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

' + i18n._('Example URLs for GIT SCM include:') + '

  • https://github.com/ansible/ansible.git
    • ' + @@ -130,11 +131,13 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', 'SSH. GIT read only protocol (git://) does not use username or password information.'), '', ''); break; case 'svn': + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

    ' + i18n._('Example URLs for Subversion SCM include:') + '

    ' + '
    • https://github.com/ansible/ansible
    • svn://servername.example.com/path
      • ' + '
    • svn+ssh://servername.example.com/path
    '; break; case 'hg': + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

    ' + i18n._('Example URLs for Mercurial SCM include:') + '

    ' + '
    • https://bitbucket.org/username/project
    • ssh://hg@bitbucket.org/username/project
      • ' + '
    • ssh://server.example.com/path
    ' + @@ -142,7 +145,14 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', 'Do not put the username and key in the URL. ' + 'If using Bitbucket and SSH, do not supply your Bitbucket username.'), '', ''); break; + case 'insights': + $scope.pathRequired = false; + $scope.scmRequired = false; + $scope.credRequired = true; + $scope.credentialLabel = "Credential"; + break; default: + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

    ' + i18n._('URL popover text'); } } @@ -151,5 +161,15 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', $scope.formCancel = function() { $state.go('projects'); }; + $scope.lookupCredential = function(){ + let credType = ($scope.scm_type.value === "insights") ? 13 : 2; //insights cred type is 13, SCM is 2 + $state.go('.credential', { + credential_search: { + credential_type: credType, + page_size: '5', + page: '1' + } + }); + }; } ]; diff --git a/awx/ui/client/src/projects/edit/projects-edit.controller.js b/awx/ui/client/src/projects/edit/projects-edit.controller.js index 4cb088a638..ea5b9f9cd3 100644 --- a/awx/ui/client/src/projects/edit/projects-edit.controller.js +++ b/awx/ui/client/src/projects/edit/projects-edit.controller.js @@ -254,6 +254,7 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest', if ($scope.scm_type.value) { switch ($scope.scm_type.value) { case 'git': + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

    ' + i18n._('Example URLs for GIT SCM include:') + '

    • https://github.com/ansible/ansible.git
      • ' + '
    • git@github.com:ansible/ansible.git
    • git://servername.example.com/ansible.git
    ' + '

    ' + i18n.sprintf(i18n._('%sNote:%s When using SSH protocol for GitHub or Bitbucket, enter an SSH key only, ' + @@ -261,11 +262,13 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest', 'SSH. GIT read only protocol (git://) does not use username or password information.'), '', ''); break; case 'svn': + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

    ' + i18n._('Example URLs for Subversion SCM include:') + '

    ' + '
    • https://github.com/ansible/ansible
    • svn://servername.example.com/path
      • ' + '
    • svn+ssh://servername.example.com/path
    '; break; case 'hg': + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

    ' + i18n._('Example URLs for Mercurial SCM include:') + '

    ' + '
    • https://bitbucket.org/username/project
    • ssh://hg@bitbucket.org/username/project
      • ' + '
    • ssh://server.example.com/path
    ' + @@ -273,12 +276,30 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest', 'Do not put the username and key in the URL. ' + 'If using Bitbucket and SSH, do not supply your Bitbucket username.'), '', ''); break; + case 'insights': + $scope.pathRequired = false; + $scope.scmRequired = false; + $scope.credRequired = true; + $scope.credentialLabel = "Credential"; + break; default: + $scope.credentialLabel = "SCM Credential"; $scope.urlPopover = '

    ' + i18n._('URL popover text'); } } }; + $scope.lookupCredential = function(){ + let credType = ($scope.scm_type.value === "insights") ? 13 : 2; //insights cred type is 13, SCM is 2 + $state.go('.credential', { + credential_search: { + credential_type: credType, + page_size: '5', + page: '1' + } + }); + }; + $scope.SCMUpdate = function() { if ($scope.project_obj.scm_type === "Manual" || Empty($scope.project_obj.scm_type)) { // ignore diff --git a/awx/ui/client/src/projects/projects.form.js b/awx/ui/client/src/projects/projects.form.js index 8297213be7..7399546d68 100644 --- a/awx/ui/client/src/projects/projects.form.js +++ b/awx/ui/client/src/projects/projects.form.js @@ -131,9 +131,10 @@ export default ['i18n', 'NotificationsList', function(i18n, NotificationsList) { basePath: 'credentials', list: 'CredentialList', // apply a default search filter to show only scm credentials - search: { - kind: 'scm' - }, + // search: { + // kind: 'scm' + // }, + ngClick: 'lookupCredential()', autopopulateLookup: false, awRequiredWhen: { reqExpression: "credRequired", diff --git a/awx/ui/client/src/templates/job_templates/add-job-template/job-template-add.controller.js b/awx/ui/client/src/templates/job_templates/add-job-template/job-template-add.controller.js index f819b14b5f..14041b1a85 100644 --- a/awx/ui/client/src/templates/job_templates/add-job-template/job-template-add.controller.js +++ b/awx/ui/client/src/templates/job_templates/add-job-template/job-template-add.controller.js @@ -9,13 +9,13 @@ '$stateParams', 'JobTemplateForm', 'GenerateForm', 'Rest', 'Alert', 'ProcessErrors', 'ClearScope', 'GetBasePath', 'md5Setup', 'ParseTypeChange', 'Wait', 'Empty', 'ToJSON', 'CallbackHelpInit', 'GetChoices', '$state', - 'CreateSelect2', '$q', 'i18n', + 'CreateSelect2', '$q', 'i18n', 'Inventory', 'Project', function( $filter, $scope, $stateParams, JobTemplateForm, GenerateForm, Rest, Alert, ProcessErrors, ClearScope, GetBasePath, md5Setup, ParseTypeChange, Wait, Empty, ToJSON, CallbackHelpInit, GetChoices, - $state, CreateSelect2, $q, i18n + $state, CreateSelect2, $q, i18n, Inventory, Project ) { Rest.setUrl(GetBasePath('job_templates')); @@ -80,24 +80,6 @@ } $scope.job_type = $scope.job_type_options[form.fields.job_type.default]; - // if you're getting to the form from the scan job section on inventories, - // set the job type select to be scan - if ($stateParams.inventory_id) { - // This means that the job template form was accessed via inventory prop's - // This also means the job is a scan job. - $scope.job_type.value = 'scan'; - $scope.jobTypeChange(); - $scope.inventory = $stateParams.inventory_id; - Rest.setUrl(GetBasePath('inventory') + $stateParams.inventory_id + '/'); - Rest.get() - .success(function (data) { - $scope.inventory_name = data.name; - }) - .error(function (data, status) { - ProcessErrors($scope, data, status, form, { hdr: 'Error!', - msg: 'Failed to lookup inventory: ' + data.id + '. GET returned status: ' + status }); - }); - } CreateSelect2({ element:'#job_template_job_type', multiple: false @@ -254,6 +236,17 @@ } }; + if(Inventory){ + $scope.inventory = Inventory.inventory_id; + $scope.inventory_name = Inventory.inventory_name; + } + if(Project){ + $scope.project = Project.id; + $scope.project_name = Project.name; + selectPlaybook('force_load'); + checkSCMStatus(); + } + // Register a watcher on project_name if ($scope.selectPlaybookUnregister) { $scope.selectPlaybookUnregister(); diff --git a/awx/ui/client/src/templates/main.js b/awx/ui/client/src/templates/main.js index c733507f05..717b8ec2c3 100644 --- a/awx/ui/client/src/templates/main.js +++ b/awx/ui/client/src/templates/main.js @@ -52,11 +52,41 @@ angular.module('templates', [surveyMaker.name, templatesList.name, jobTemplatesA addJobTemplate = stateDefinitions.generateTree({ name: 'templates.addJobTemplate', - url: '/add_job_template', + url: '/add_job_template?inventory_id&inventory_name&credential_id', modes: ['add'], form: 'JobTemplateForm', controllers: { add: 'JobTemplateAdd' + }, + resolve: { + add: { + Inventory: ['$stateParams', + function($stateParams){ + if($stateParams.inventory_id){ + let obj = {}; + obj.inventory_id = Number($stateParams.inventory_id); + obj.inventory_name = $stateParams.inventory_name; + return obj; + } + }], + Project: ['$stateParams', 'Rest', 'GetBasePath', 'ProcessErrors', + function($stateParams, Rest, GetBasePath, ProcessErrors){ + if($stateParams.credential_id){ + let path = `${GetBasePath('projects')}?credential__id=${Number($stateParams.credential_id)}`; + Rest.setUrl(path); + return Rest.get(). + then(function(data){ + return data.data.results[0]; + }).catch(function(response) { + ProcessErrors(null, response.data, response.status, null, { + hdr: 'Error!', + msg: 'Failed to get project info. GET returned status: ' + + response.status + }); + }); + } + }] + } } }); From ff46e46b69b310c2736e36a4ef0fc8af4206f751 Mon Sep 17 00:00:00 2001 From: Jared Tabor Date: Mon, 5 Jun 2017 13:23:10 -0700 Subject: [PATCH 7/7] submitting changes after PR feedback adding translate directive to partial, performing a lookup on credential_types for the credential on the project page, and some other small changes --- .../insights/insights.controller.js | 24 +++++-------------- .../insights/insights.partial.html | 18 +++++++------- .../projects/add/projects-add.controller.js | 14 +++++++---- .../projects/edit/projects-edit.controller.js | 13 ++++++---- awx/ui/client/src/projects/main.js | 23 +++++++++++++++++- 5 files changed, 56 insertions(+), 36 deletions(-) diff --git a/awx/ui/client/src/inventories/insights/insights.controller.js b/awx/ui/client/src/inventories/insights/insights.controller.js index 69cc50e7ed..786df445a1 100644 --- a/awx/ui/client/src/inventories/insights/insights.controller.js +++ b/awx/ui/client/src/inventories/insights/insights.controller.js @@ -33,44 +33,32 @@ function (data, $scope, moment, $state, resourceData) { } if(filter === "solvable"){ $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ - if(report.maintenance_actions.length > 0){ - return report; - } + return (report.maintenance_actions.length > 0); }); } if(filter === "not_solvable"){ $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ - if(report.maintenance_actions.length === 0){ - return report; - } + return (report.maintenance_actions.length === 0); }); } if(filter === "critical"){ $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ - if(report.rule.severity === 'CRITICAL'){ - return report; - } + return (report.rule.severity === 'CRITICAL'); }); } if(filter === "high"){ $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ - if(report.rule.severity === 'ERROR'){ - return report; - } + return (report.rule.severity === 'ERROR'); }); } if(filter === "medium"){ $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ - if(report.rule.severity === 'WARN'){ - return report; - } + return (report.rule.severity === 'WARN'); }); } if(filter === "low"){ $scope.reports = _.filter($scope.reports_dataset.reports, function(report){ - if(report.rule.severity === 'INFO'){ - return report; - } + return (report.rule.severity === 'INFO'); }); } }; diff --git a/awx/ui/client/src/inventories/insights/insights.partial.html b/awx/ui/client/src/inventories/insights/insights.partial.html index c161c49fea..d0c98ae65e 100644 --- a/awx/ui/client/src/inventories/insights/insights.partial.html +++ b/awx/ui/client/src/inventories/insights/insights.partial.html @@ -1,38 +1,38 @@

    - This machine has not checked in with Insights in {{last_check_in}} hours + This machine has not checked in with Insights in {{last_check_in}} hours
    -
    Total Issues
    +
    Total Issues
    {{reports_dataset.reports.length}}
    -
    Critical
    +
    Critical
    {{critical_count}}
    -
    High
    +
    High
    {{high_count}}
    -
    Medium
    +
    Medium
    {{med_count}}
    -
    Low
    +
    Low
    {{low_count}}
    @@ -41,13 +41,13 @@
    -
    Solvable With Playbook
    +
    Solvable With Playbook
    {{solvable_count}}
    -
    Not Solvable With Playbook
    +
    Not Solvable With Playbook
    {{not_solvable_count}}
    @@ -64,7 +64,7 @@ aw-tool-tip="Medium Risk" data-placement="top"> -
    ISSUE: {{report.rule.description}}
    +
    ISSUE: {{report.rule.description}}
    {{report.rule.category}}
    {{report.rule.summary}}
    diff --git a/awx/ui/client/src/projects/add/projects-add.controller.js b/awx/ui/client/src/projects/add/projects-add.controller.js index 7f2e4c7abc..a458e1c51e 100644 --- a/awx/ui/client/src/projects/add/projects-add.controller.js +++ b/awx/ui/client/src/projects/add/projects-add.controller.js @@ -7,9 +7,10 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', 'ProjectsForm', 'Rest', 'Alert', 'ProcessErrors', 'GetBasePath', 'GetProjectPath', 'GetChoices', 'Wait', '$state', 'CreateSelect2', 'i18n', + 'CredentialTypes', function($scope, $location, $stateParams, GenerateForm, ProjectsForm, Rest, Alert, ProcessErrors, GetBasePath, GetProjectPath, GetChoices, Wait, $state, - CreateSelect2, i18n) { + CreateSelect2, i18n, CredentialTypes) { var form = ProjectsForm(), base = $location.path().replace(/^\//, '').split('/')[0], @@ -153,7 +154,7 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', break; default: $scope.credentialLabel = "SCM Credential"; - $scope.urlPopover = '

    ' + i18n._('URL popover text'); + $scope.urlPopover = '

    ' + i18n._('URL popover text') + '

    '; } } @@ -162,10 +163,15 @@ export default ['$scope', '$location', '$stateParams', 'GenerateForm', $state.go('projects'); }; $scope.lookupCredential = function(){ - let credType = ($scope.scm_type.value === "insights") ? 13 : 2; //insights cred type is 13, SCM is 2 + // Perform a lookup on the credential_type. Git, Mercurial, and Subversion + // all use SCM as their credential type. + let credType = _.filter(CredentialTypes, function(credType){ + return ($scope.scm_type.value !== "insights" && credType.kind === "scm" || + $scope.scm_type.value === "insights" && credType.kind === "insights"); + }); $state.go('.credential', { credential_search: { - credential_type: credType, + credential_type: credType[0].id, page_size: '5', page: '1' } diff --git a/awx/ui/client/src/projects/edit/projects-edit.controller.js b/awx/ui/client/src/projects/edit/projects-edit.controller.js index ea5b9f9cd3..be0890de12 100644 --- a/awx/ui/client/src/projects/edit/projects-edit.controller.js +++ b/awx/ui/client/src/projects/edit/projects-edit.controller.js @@ -8,11 +8,11 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest', 'Alert', 'ProcessErrors', 'GenerateForm', 'Prompt', 'ClearScope', 'GetBasePath', 'GetProjectPath', 'Authorization', 'GetChoices', 'Empty', 'Wait', 'ProjectUpdate', '$state', 'CreateSelect2', 'ToggleNotification', - 'i18n', + 'i18n', 'CredentialTypes', function($scope, $rootScope, $stateParams, ProjectsForm, Rest, Alert, ProcessErrors, GenerateForm, Prompt, ClearScope, GetBasePath, GetProjectPath, Authorization, GetChoices, Empty, Wait, ProjectUpdate, - $state, CreateSelect2, ToggleNotification, i18n) { + $state, CreateSelect2, ToggleNotification, i18n, CredentialTypes) { ClearScope('htmlTemplate'); @@ -290,10 +290,15 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest', }; $scope.lookupCredential = function(){ - let credType = ($scope.scm_type.value === "insights") ? 13 : 2; //insights cred type is 13, SCM is 2 + // Perform a lookup on the credential_type. Git, Mercurial, and Subversion + // all use SCM as their credential type. + let credType = _.filter(CredentialTypes, function(credType){ + return ($scope.scm_type.value !== "insights" && credType.kind === "scm" || + $scope.scm_type.value === "insights" && credType.kind === "insights"); + }); $state.go('.credential', { credential_search: { - credential_type: credType, + credential_type: credType[0].id, page_size: '5', page: '1' } diff --git a/awx/ui/client/src/projects/main.js b/awx/ui/client/src/projects/main.js index 1b76213cd3..52fa7270b6 100644 --- a/awx/ui/client/src/projects/main.js +++ b/awx/ui/client/src/projects/main.js @@ -28,7 +28,24 @@ angular.module('Projects', [revisions.name]) .config(['$stateProvider', 'stateDefinitionsProvider', function($stateProvider, stateDefinitionsProvider) { let stateDefinitions = stateDefinitionsProvider.$get(); - + var projectResolve = { + CredentialTypes: ['Rest', '$stateParams', 'GetBasePath', 'ProcessErrors', + (Rest, $stateParams, GetBasePath, ProcessErrors) => { + var path = GetBasePath('credential_types'); + Rest.setUrl(path); + return Rest.get() + .then(function(data) { + return (data.data.results); + }).catch(function(response) { + ProcessErrors(null, response.data, response.status, null, { + hdr: 'Error!', + msg: 'Failed to get credential tpyes. GET returned status: ' + + response.status + }); + }); + } + ] + }; // lazily generate a tree of substates which will replace this node in ui-router's stateRegistry // see: stateDefinition.factory for usage documentation $stateProvider.state({ @@ -55,6 +72,10 @@ angular.module('Projects', [revisions.name]) }, ncyBreadcrumb: { label: N_('PROJECTS') + }, + resolve: { + add: projectResolve, + edit: projectResolve } }) });