diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py
index 78baf63d7e..c0554440a9 100644
--- a/awx/api/views/__init__.py
+++ b/awx/api/views/__init__.py
@@ -31,7 +31,7 @@ from django.utils.translation import ugettext_lazy as _
# Django REST Framework
-from rest_framework.exceptions import PermissionDenied, ParseError
+from rest_framework.exceptions import APIException, PermissionDenied, ParseError, NotFound
from rest_framework.parsers import FormParser
from rest_framework.permissions import AllowAny, IsAuthenticated
from rest_framework.renderers import JSONRenderer, StaticHTMLRenderer
@@ -1613,17 +1613,58 @@ class HostActivityStreamList(SubListAPIView):
return qs.filter(Q(host=parent) | Q(inventory=parent.inventory))
+class BadGateway(APIException):
+ status_code = status.HTTP_502_BAD_GATEWAY
+ default_detail = ''
+ default_code = 'bad_gateway'
+
+
+class GatewayTimeout(APIException):
+ status_code = status.HTTP_504_GATEWAY_TIMEOUT
+ default_detail = ''
+ default_code = 'gateway_timeout'
+
+
class HostInsights(GenericAPIView):
model = models.Host
serializer_class = serializers.EmptySerializer
- def _extract_insights_creds(self, credential):
- return (credential.get_input('username', default=''), credential.get_input('password', default=''))
+ def _call_insights_api(self, url, session, headers):
+ try:
+ res = session.get(url, headers=headers, timeout=120)
+ except requests.exceptions.SSLError:
+ raise BadGateway(_('SSLError while trying to connect to {}').format(url))
+ except requests.exceptions.Timeout:
+ raise GatewayTimeout(_('Request to {} timed out.').format(url))
+ except requests.exceptions.RequestException as e:
+ raise BadGateway(_('Unknown exception {} while trying to GET {}').format(e, url))
- def _get_insights(self, url, username, password):
+ if res.status_code == 401:
+ raise BadGateway(
+ _('Unauthorized access. Please check your Insights Credential username and password.'))
+ elif res.status_code != 200:
+ raise BadGateway(
+ _(
+ 'Failed to access the Insights API at URL {}.'
+ ' Server responded with {} status code and message {}'
+ ).format(url, res.status_code, res.content)
+ )
+
+ try:
+ return res.json()
+ except ValueError:
+ raise BadGateway(
+ _('Expected JSON response from Insights at URL {}'
+ ' but instead got {}').format(url, res.content))
+
+ def _get_session(self, username, password):
session = requests.Session()
session.auth = requests.auth.HTTPBasicAuth(username, password)
+
+ return session
+
+ def _get_headers(self):
license = get_license(show_key=False).get('license_type', 'UNLICENSED')
headers = {
'Content-Type': 'application/json',
@@ -1633,47 +1674,84 @@ class HostInsights(GenericAPIView):
license
)
}
- return session.get(url, headers=headers, timeout=120)
- def get_insights(self, url, username, password):
+ return headers
+
+ def _get_platform_info(self, host, session, headers):
+ url = '{}/api/inventory/v1/hosts?insights_id={}'.format(
+ settings.INSIGHTS_URL_BASE, host.insights_system_id)
+ res = self._call_insights_api(url, session, headers)
try:
- res = self._get_insights(url, username, password)
- except requests.exceptions.SSLError:
- return (dict(error=_('SSLError while trying to connect to {}').format(url)), status.HTTP_502_BAD_GATEWAY)
- except requests.exceptions.Timeout:
- return (dict(error=_('Request to {} timed out.').format(url)), status.HTTP_504_GATEWAY_TIMEOUT)
- except requests.exceptions.RequestException as e:
- return (dict(error=_('Unknown exception {} while trying to GET {}').format(e, url)), status.HTTP_502_BAD_GATEWAY)
+ res['results'][0]['id']
+ except (IndexError, KeyError):
+ raise NotFound(
+ _('Could not translate Insights system ID {}'
+ ' into an Insights platform ID.').format(host.insights_system_id))
- if res.status_code == 401:
- return (dict(error=_('Unauthorized access. Please check your Insights Credential username and password.')), status.HTTP_502_BAD_GATEWAY)
- elif res.status_code != 200:
- return (dict(error=_(
- 'Failed to gather reports and maintenance plans from Insights API at URL {}. Server responded with {} status code and message {}'
- ).format(url, res.status_code, res.content)), status.HTTP_502_BAD_GATEWAY)
+ return res['results'][0]
- try:
- filtered_insights_content = filter_insights_api_response(res.json())
- return (dict(insights_content=filtered_insights_content), status.HTTP_200_OK)
- except ValueError:
- return (dict(error=_('Expected JSON response from Insights but instead got {}').format(res.content)), status.HTTP_502_BAD_GATEWAY)
+ def _get_reports(self, platform_id, session, headers):
+ url = '{}/api/insights/v1/system/{}/reports/'.format(
+ settings.INSIGHTS_URL_BASE, platform_id)
+
+ return self._call_insights_api(url, session, headers)
+
+ def _get_remediations(self, platform_id, session, headers):
+ url = '{}/api/remediations/v1/remediations?system={}'.format(
+ settings.INSIGHTS_URL_BASE, platform_id)
+
+ remediations = []
+
+ # Iterate over all of the pages of content.
+ while url:
+ data = self._call_insights_api(url, session, headers)
+ remediations.extend(data['data'])
+
+ url = data['links']['next'] # Will be `None` if this is the last page.
+
+ return remediations
+
+ def _get_insights(self, host, session, headers):
+ platform_info = self._get_platform_info(host, session, headers)
+ platform_id = platform_info['id']
+ reports = self._get_reports(platform_id, session, headers)
+ remediations = self._get_remediations(platform_id, session, headers)
+
+ return {
+ 'insights_content': filter_insights_api_response(platform_info, reports, remediations)
+ }
def get(self, request, *args, **kwargs):
host = self.get_object()
cred = None
if host.insights_system_id is None:
- return Response(dict(error=_('This host is not recognized as an Insights host.')), status=status.HTTP_404_NOT_FOUND)
+ return Response(
+ dict(error=_('This host is not recognized as an Insights host.')),
+ status=status.HTTP_404_NOT_FOUND
+ )
if host.inventory and host.inventory.insights_credential:
cred = host.inventory.insights_credential
else:
- return Response(dict(error=_('The Insights Credential for "{}" was not found.').format(host.inventory.name)), status=status.HTTP_404_NOT_FOUND)
+ return Response(
+ dict(error=_('The Insights Credential for "{}" was not found.').format(host.inventory.name)),
+ status=status.HTTP_404_NOT_FOUND
+ )
- url = settings.INSIGHTS_URL_BASE + '/r/insights/v3/systems/{}/reports/'.format(host.insights_system_id)
- (username, password) = self._extract_insights_creds(cred)
- (msg, err_code) = self.get_insights(url, username, password)
- return Response(msg, status=err_code)
+ username = cred.get_input('username', default='')
+ password = cred.get_input('password', default='')
+ session = self._get_session(username, password)
+ headers = self._get_headers()
+
+ data = self._get_insights(host, session, headers)
+ return Response(data, status=status.HTTP_200_OK)
+
+ def handle_exception(self, exc):
+ # Continue supporting the slightly different way we have handled error responses on this view.
+ response = super().handle_exception(exc)
+ response.data['error'] = response.data.pop('detail')
+ return response
class GroupList(ListCreateAPIView):
diff --git a/awx/main/tests/data/insights.json b/awx/main/tests/data/insights.json
index 204985ab2f..8a303ba85d 100644
--- a/awx/main/tests/data/insights.json
+++ b/awx/main/tests/data/insights.json
@@ -1,724 +1,429 @@
-{
- "toString": "$REDACTED$",
- "isCheckingIn": false,
- "system_id": "11111111-1111-1111-1111-111111111111",
- "display_name": null,
- "remote_branch": null,
- "remote_leaf": null,
- "account_number": "1111111",
- "hostname": "$REDACTED$",
- "parent_id": null,
- "system_type_id": 105,
- "last_check_in": "2017-07-21T07:07:29.000Z",
- "stale_ack": false,
- "type": "machine",
- "product": "rhel",
- "created_at": "2017-07-20T17:26:53.000Z",
- "updated_at": "2017-07-21T07:07:29.000Z",
- "unregistered_at": null,
- "reports": [{
- "details": {
- "vulnerable_setting": "hosts: files dns myhostname",
- "affected_package": "glibc-2.17-105.el7",
- "error_key": "GLIBC_CVE_2015_7547"
- },
- "id": 955802695,
- "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "
A critical security flaw in the glibc
library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.
\n",
- "generic_html": "The glibc
library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv
part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv
is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.
\n",
- "more_info_html": "\n",
- "severity": "ERROR",
- "ansible": true,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547",
- "error_key": "GLIBC_CVE_2015_7547",
- "plugin": "CVE_2015_7547_glibc",
- "description": "Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)",
- "summary": "A critical security flaw in the `glibc` library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.",
- "generic": "The `glibc` library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the `libresolv` part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when `libresolv` is called from the nss_dns NSS service module. This flaw is known as [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).",
- "reason": "This host is vulnerable because it has vulnerable package glibc-2.17-105.el7 installed and DNS is enabled in /etc/nsswitch.conf
:
\nhosts: files dns myhostname\n
The glibc
library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv
part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv
is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.
\n",
- "type": null,
- "more_info": "* For more information about the flaw see [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).",
- "active": true,
- "node_id": "2168451",
- "category": "Security",
- "retired": false,
- "reboot_required": false,
- "publish_date": "2016-10-31T04:08:35.000Z",
- "rec_impact": 4,
- "rec_likelihood": 2,
- "resolution": "Red Hat recommends updating glibc
and restarting the affected system:
\n# yum update glibc\n# reboot\n
Alternatively, you can restart all affected services, but because this vulnerability affects a large amount of applications on the system, the best solution is to restart the system.
\n"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305205,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 305955,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "affected_kernel": "3.10.0-327.el7",
- "error_key": "KERNEL_CVE-2016-0728"
- },
- "id": 955802705,
- "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as CVE-2016-0728.
\n",
- "generic_html": "A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.
\nRed Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.
\n",
- "more_info_html": "\n",
- "severity": "WARN",
- "ansible": true,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728",
- "error_key": "KERNEL_CVE-2016-0728",
- "plugin": "CVE_2016_0728_kernel",
- "description": "Kernel key management subsystem vulnerable to local privilege escalation (CVE-2016-0728)",
- "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).",
- "generic": "A vulnerability in the Linux kernel rated **Important** was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n\nRed Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the [systemtap patch](https://bugzilla.redhat.com/attachment.cgi?id=1116284&action=edit) to update your running kernel.",
- "reason": "A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.
\nThe host is vulnerable as it is running kernel-3.10.0-327.el7.
\n",
- "type": null,
- "more_info": "* For more information about the flaws and versions of the package that are vulnerable see [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).",
- "active": true,
- "node_id": "2130791",
- "category": "Security",
- "retired": false,
- "reboot_required": false,
- "publish_date": "2016-10-31T04:08:37.000Z",
- "rec_impact": 2,
- "rec_likelihood": 2,
- "resolution": "Red Hat recommends that you update kernel
and reboot. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.
\n# yum update kernel\n# reboot\n-or-\n# debuginfo-install kernel (or equivalent)\n# stap -vgt -Gfix_p=1 -Gtrace_p=0 cve20160728e.stp\n
"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305215,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 306205,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "processes_listening_int": [
- ["neutron-o", "127.0.0.1", "6633"],
- ["ovsdb-ser", "127.0.0.1", "6640"]
- ],
- "processes_listening_ext": [
- ["CPU", "0.0.0.0", "5900"],
- ["libvirtd", "", "::16509"],
- ["master", "", ":1:25"],
- ["qemu-kvm", "0.0.0.0", "5900"],
- ["vnc_worke", "0.0.0.0", "5900"],
- ["worker", "0.0.0.0", "5900"]
- ],
- "error_key": "OPENSSL_CVE_2016_0800_DROWN_LISTENING",
- "processes_listening": [
- ["CPU", "0.0.0.0", "5900"],
- ["libvirtd", "", "::16509"],
- ["master", "", ":1:25"],
- ["neutron-o", "127.0.0.1", "6633"],
- ["ovsdb-ser", "127.0.0.1", "6640"],
- ["qemu-kvm", "0.0.0.0", "5900"],
- ["vnc_worke", "0.0.0.0", "5900"],
- ["worker", "0.0.0.0", "5900"]
- ],
- "processes_names": ["/usr/bin/", "CPU", "ceilomete", "gmain", "handler6", "libvirtd", "master", "neutron-o", "neutron-r", "nova-comp", "ovs-vswit", "ovsdb-cli", "ovsdb-ser", "pickup", "privsep-h", "qemu-kvm", "qmgr", "redhat-ac", "revalidat", "tuned", "urcu3", "virtlogd", "vnc_worke", "worker"],
- "vulnerable_package": "openssl-libs-1.0.1e-42.el7_1.9"
- },
- "id": 955802715,
- "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_DROWN_LISTENING",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned CVE-2016-0800 and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.
\n",
- "generic_html": "A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.
\nA more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).
\n",
- "more_info_html": "\n",
- "severity": "ERROR",
- "ansible": true,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_DROWN_LISTENING",
- "error_key": "OPENSSL_CVE_2016_0800_DROWN_LISTENING",
- "plugin": "CVE_2016_0800_openssl_drown",
- "description": "OpenSSL with externally listening processes vulnerable to session decryption (CVE-2016-0800/DROWN)",
- "summary": "A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800) and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.",
- "generic": "A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.\n\nA more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see [CVE-2015-0293](https://access.redhat.com/security/cve/CVE-2015-0293)).",
- "reason": "This host is vulnerable because it has vulnerable package openssl-libs-1.0.1e-42.el7_1.9 installed.
\nIt also runs the following processes that use OpenSSL libraries:
\n- /usr/bin/
- CPU
- ceilomete
- gmain
- handler6
- libvirtd
- master
- neutron-o
- neutron-r
- nova-comp
- ovs-vswit
- ovsdb-cli
- ovsdb-ser
- pickup
- privsep-h
- qemu-kvm
- qmgr
- redhat-ac
- revalidat
- tuned
- urcu3
- virtlogd
- vnc_worke
- worker
\n\n\n\n\nThe following processes that use OpenSSL libraries are listening on the sockets bound to public IP addresses:
\n- CPU (0.0.0.0)
- libvirtd ()
- master ()
- qemu-kvm (0.0.0.0)
- vnc_worke (0.0.0.0)
- worker (0.0.0.0)
\n\n\n\n\n\n\n\n\nA new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.
\nA more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).
\n",
- "type": null,
- "more_info": "* For more information about the flaw see [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).",
- "active": true,
- "node_id": "2174451",
- "category": "Security",
- "retired": false,
- "reboot_required": false,
- "publish_date": "2016-10-31T04:08:33.000Z",
- "rec_impact": 3,
- "rec_likelihood": 4,
- "resolution": "Red Hat recommends that you update openssl
and restart the affected system:
\n# yum update openssl\n# reboot\n
Alternatively, you can restart all affected services (that is, the ones linked to the openssl library), especially those listening on public IP addresses.
\n"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305225,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 306435,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "vulnerable_kernel": "3.10.0-327.el7",
- "package_name": "kernel",
- "error_key": "KERNEL_CVE_2016_5195_2"
- },
- "id": 955802725,
- "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195_2",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.
\n",
- "generic_html": "A race condition was found in the way Linux kernel's memory subsystem handled breakage of the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.
\nA process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild.
\nRed Hat recommends that you update the kernel package.
\n",
- "more_info_html": "\n",
- "severity": "WARN",
- "ansible": true,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195_2",
- "error_key": "KERNEL_CVE_2016_5195_2",
- "plugin": "CVE_2016_5195_kernel",
- "description": "Kernel vulnerable to privilege escalation via permission bypass (CVE-2016-5195)",
- "summary": "A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.",
- "generic": "A race condition was found in the way Linux kernel's memory subsystem handled breakage of the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.\n\nA process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild. \n\nRed Hat recommends that you update the kernel package.\n",
- "reason": "A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally have read-only access to and thus increase their privileges on the system.
\nThis host is affected because it is running kernel 3.10.0-327.el7.
\n",
- "type": null,
- "more_info": "* For more information about the flaw see [CVE-2016-5195](https://access.redhat.com/security/cve/CVE-2016-5195)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).",
- "active": true,
- "node_id": "2706661",
- "category": "Security",
- "retired": false,
- "reboot_required": true,
- "publish_date": "2016-10-31T04:08:33.000Z",
- "rec_impact": 2,
- "rec_likelihood": 2,
- "resolution": "Red Hat recommends that you update the kernel
package and restart the system:
\n# yum update kernel\n# reboot\n
"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305235,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 306705,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "mitigation_conf": "no",
- "sysctl_live_ack_limit": "100",
- "package_name": "kernel",
- "sysctl_live_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100",
- "error_key": "KERNEL_CVE_2016_5696_URGENT",
- "vulnerable_kernel": "3.10.0-327.el7",
- "sysctl_conf_ack_limit": "100",
- "sysctl_conf_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100 # Implicit default",
- "mitigation_live": "no"
- },
- "id": 955802735,
- "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the RFC 5961 challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.
\n",
- "generic_html": "A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.
\nRed Hat recommends that you update the kernel package or apply mitigations.
\n",
- "more_info_html": "\n",
- "severity": "ERROR",
- "ansible": true,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT",
- "error_key": "KERNEL_CVE_2016_5696_URGENT",
- "plugin": "CVE_2016_5696_kernel",
- "description": "Kernel vulnerable to man-in-the-middle via payload injection",
- "summary": "A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the [RFC 5961](https://tools.ietf.org/html/rfc5961) challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.",
- "generic": "A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack ([RFC 5961](https://tools.ietf.org/html/rfc5961)) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack. \n\nRed Hat recommends that you update the kernel package or apply mitigations.",
- "reason": "A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.
\nThis host is affected because it is running kernel 3.10.0-327.el7.
\nYour currently loaded kernel configuration contains this setting:
\nnet.ipv4.tcp_challenge_ack_limit = 100\n
Your currently stored kernel configuration is:
\nnet.ipv4.tcp_challenge_ack_limit = 100 # Implicit default\n
There is currently no mitigation applied and your system is vulnerable.
\n",
- "type": null,
- "more_info": "* For more information about the flaw see [CVE-2016-5696](https://access.redhat.com/security/cve/CVE-2016-5696)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).",
- "active": true,
- "node_id": "2438571",
- "category": "Security",
- "retired": false,
- "reboot_required": false,
- "publish_date": "2016-10-31T04:08:32.000Z",
- "rec_impact": 4,
- "rec_likelihood": 2,
- "resolution": "Red Hat recommends that you update the kernel
package and restart the system:
\n# yum update kernel\n# reboot\n
or
\nAlternatively, this issue can be addressed by applying the following mitigations until the machine is restarted with the updated kernel package.
\nEdit /etc/sysctl.conf
file as root, add the mitigation configuration, and reload the kernel configuration:
\n# echo "net.ipv4.tcp_challenge_ack_limit = 2147483647" >> /etc/sysctl.conf \n# sysctl -p\n
"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305245,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 306975,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 316055,
- "maintenance_plan": {
- "maintenance_id": 30575,
- "name": "Fix the problem",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "asdavis@redhat.com",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "kernel_left_fully_exploitable": true,
- "vulnerable_kernel_version_release": "3.10.0-327.el7",
- "kernel_kpatch_applied": false,
- "kernel_vulnerable": true,
- "glibc_left_fully_exploitable": true,
- "vulnerable_glibc": {
- "PACKAGE_NAMES": ["glibc"],
- "PACKAGES": ["glibc-2.17-105.el7"]
- },
- "kernel_stap_applied": false,
- "error_key": "CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE",
- "vulnerable_kernel_name": "kernel",
- "nothing_left_fully_exploitable": false,
- "glibc_vulnerable": true
- },
- "id": 955802745,
- "rule_id": "CVE_2017_1000366_glibc|CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.
\n",
- "generic_html": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.
\nIf heap and stack memory regions are adjacent to each other, an attacker can use this flaw to jump over the heap/stack gap, cause controlled memory corruption on process stack or heap, and thus increase their privileges on the system.
\nAn attacker must have access to a local account on the system.
\nRed Hat recommends that you update the kernel and glibc.
\n",
- "more_info_html": "\n",
- "severity": "WARN",
- "ansible": true,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "CVE_2017_1000366_glibc|CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE",
- "error_key": "CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE",
- "plugin": "CVE_2017_1000366_glibc",
- "description": "Kernel and glibc vulnerable to local privilege escalation via stack and heap memory clash (CVE-2017-1000364 and CVE-2017-1000366)",
- "summary": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned [CVE-2017-1000364](https://access.redhat.com/security/cve/CVE-2017-1000364) and [CVE-2017-1000366](https://access.redhat.com/security/cve/CVE-2017-1000366). An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.\n",
- "generic": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.\n\nIf heap and stack memory regions are adjacent to each other, an attacker can use this flaw to jump over the heap/stack gap, cause controlled memory corruption on process stack or heap, and thus increase their privileges on the system. \n\nAn attacker must have access to a local account on the system.\n\nRed Hat recommends that you update the kernel and glibc.\n",
- "reason": "A flaw was found in kernel and glibc in the way memory is being allocated on the stack for user space binaries.
\nThe host is affected because it is running kernel-3.10.0-327.el7 and using glibc-2.17-105.el7.
\n",
- "type": null,
- "more_info": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/stackguard) and [CVE-2017-1000364](https://access.redhat.com/security/cve/CVE-2017-1000364) and [CVE-2017-1000366](https://access.redhat.com/security/cve/CVE-2017-1000366).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
- "active": true,
- "node_id": null,
- "category": "Security",
- "retired": false,
- "reboot_required": true,
- "publish_date": "2017-06-19T15:00:00.000Z",
- "rec_impact": 2,
- "rec_likelihood": 2,
- "resolution": "Red Hat recommends updating the kernel
and glibc
packages and rebooting the system.
\n# yum update kernel glibc\n# reboot\n
"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305255,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 307415,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "PACKAGE_NAMES": ["sudo"],
- "PACKAGES": ["sudo-1.8.6p7-16.el7"],
- "error_key": "CVE_2017_1000367_SUDO"
- },
- "id": 955802755,
- "rule_id": "CVE_2017_1000367_sudo|CVE_2017_1000367_SUDO",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "A local privilege escalation flaw was found in sudo
. A local user having sudo access on the system,\ncould use this flaw to execute arbitrary commands as root. This issue was reported as\nCVE-2017-1000367
\n",
- "generic_html": "A local privilege escalation flaw was found in sudo
. All versions of sudo package shipped with RHEL 5, 6 and 7 are vulnerable\nto a local privilege escalation vulnerability. A flaw was found in the way get_process_ttyname()
function obtained\ninformation about the controlling terminal of the sudo process from the status file in the proc filesystem.\nThis allows a local user who has any level of sudo access on the system to execute arbitrary commands as root or\nin certain conditions escalate his privileges to root.
\nRed Hat recommends that you update update the sudo
package.
\n",
- "more_info_html": "\n",
- "severity": "WARN",
- "ansible": true,
- "ansible_fix": true,
- "ansible_mitigation": false,
- "rule_id": "CVE_2017_1000367_sudo|CVE_2017_1000367_SUDO",
- "error_key": "CVE_2017_1000367_SUDO",
- "plugin": "CVE_2017_1000367_sudo",
- "description": "sudo vulnerable to local privilege escalation via process TTY name parsing (CVE-2017-1000367)",
- "summary": "A local privilege escalation flaw was found in `sudo`. A local user having sudo access on the system,\ncould use this flaw to execute arbitrary commands as root. This issue was reported as\n[CVE-2017-1000367](https://access.redhat.com/security/cve/CVE-2017-1000367)",
- "generic": "A local privilege escalation flaw was found in `sudo`. All versions of sudo package shipped with RHEL 5, 6 and 7 are vulnerable\nto a local privilege escalation vulnerability. A flaw was found in the way `get_process_ttyname()` function obtained\ninformation about the controlling terminal of the sudo process from the status file in the proc filesystem.\nThis allows a local user who has any level of sudo access on the system to execute arbitrary commands as root or\nin certain conditions escalate his privileges to root.\n\nRed Hat recommends that you update update the `sudo` package.\n",
- "reason": "This machine is vulnerable because it has vulnerable sudo
package sudo-1.8.6p7-16.el7 installed.
\n",
- "type": null,
- "more_info": "* For more information about the remote code execution flaw [CVE-2017-1000367](https://access.redhat.com/security/cve/CVE-2017-1000367) see [knowledge base article](https://access.redhat.com/security/vulnerabilities/3059071).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* To better understand [sudo](https://www.sudo.ws/), see [Sudo in a Nutshell](https://www.sudo.ws/intro.html)\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
- "active": true,
- "node_id": "3059071",
- "category": "Security",
- "retired": false,
- "reboot_required": false,
- "publish_date": "2017-05-30T13:30:00.000Z",
- "rec_impact": 2,
- "rec_likelihood": 2,
- "resolution": "Red Hat recommends that you update the sudo
package.
\n# yum update sudo\n
"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305265,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 308075,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "mod_loading_disabled": false,
- "package_name": "kernel",
- "error_key": "KERNEL_CVE_2017_2636",
- "vulnerable_kernel": "3.10.0-327.el7",
- "mod_loaded": false,
- "mitigation_info": true
- },
- "id": 955802765,
- "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as CVE-2017-2636.
\n",
- "generic_html": "A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.
\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.
\nAn attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.
\nRed Hat recommends that you use the proposed mitigation to disable the N_HDLC module.
\n",
- "more_info_html": "\n",
- "severity": "WARN",
- "ansible": true,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636",
- "error_key": "KERNEL_CVE_2017_2636",
- "plugin": "CVE_2017_2636_kernel",
- "description": "Kernel vulnerable to local privilege escalation via n_hdlc module (CVE-2017-2636)",
- "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636).\n",
- "generic": "A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.\n\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.\n\nAn attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.\n\nRed Hat recommends that you use the proposed mitigation to disable the N_HDLC module.\n",
- "reason": "A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation.
\nThis host is affected because it is running kernel 3.10.0-327.el7.
\n",
- "type": null,
- "more_info": "* For more information about the flaw, see [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636) and [CVE-2017-2636 article](https://access.redhat.com/security/vulnerabilities/CVE-2017-2636).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
- "active": true,
- "node_id": null,
- "category": "Security",
- "retired": false,
- "reboot_required": false,
- "publish_date": "2017-05-16T12:00:00.000Z",
- "rec_impact": 2,
- "rec_likelihood": 2,
- "resolution": "Red Hat recommends updating the kernel
package and rebooting the system.
\n# yum update kernel\n# reboot\n
Alternatively, apply one of the following mitigations:
\nDisable loading of N_HDLC kernel module:
\n# echo "install n_hdlc /bin/true" >> /etc/modprobe.d/disable-n_hdlc.conf\n
"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305275,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 308675,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }, {
- "details": {
- "kvr": "3.10.0-327.el7",
- "error_key": "IPMI_LIST_CORRUPTION_CRASH"
- },
- "id": 955826995,
- "rule_id": "ipmi_list_corruption_crash|IPMI_LIST_CORRUPTION_CRASH",
- "system_id": "11111111-1111-1111-1111-111111111111",
- "account_number": "1111111",
- "uuid": "11111111111111111111111111111111",
- "date": "2017-07-21T07:07:29.000Z",
- "rule": {
- "summary_html": "Kernel occasionally panics when running ipmitool
command due to a bug in the ipmi message handler.
\n",
- "generic_html": "Kernel occasionally panics when running ipmitool
due to a bug in the ipmi message handler.
\n",
- "more_info_html": "For how to upgrade the kernel to a specific version, refer to How do I upgrade the kernel to a particular version manually?.
\n",
- "severity": "WARN",
- "ansible": false,
- "ansible_fix": false,
- "ansible_mitigation": false,
- "rule_id": "ipmi_list_corruption_crash|IPMI_LIST_CORRUPTION_CRASH",
- "error_key": "IPMI_LIST_CORRUPTION_CRASH",
- "plugin": "ipmi_list_corruption_crash",
- "description": "Kernel panic occurs when running ipmitool command with specific kernels",
- "summary": "Kernel occasionally panics when running `ipmitool` command due to a bug in the ipmi message handler.\n",
- "generic": "Kernel occasionally panics when running `ipmitool` due to a bug in the ipmi message handler.\n",
- "reason": "This host is running kernel 3.10.0-327.el7 with the IPMI management tool installed.\nKernel panics can occur when running ipmitool
.
\n",
- "type": null,
- "more_info": "For how to upgrade the kernel to a specific version, refer to [How do I upgrade the kernel to a particular version manually?](https://access.redhat.com/solutions/161803).\n",
- "active": true,
- "node_id": "2690791",
- "category": "Stability",
- "retired": false,
- "reboot_required": true,
- "publish_date": null,
- "rec_impact": 3,
- "rec_likelihood": 1,
- "resolution": "Red Hat recommends that you complete the following steps to fix this issue:
\n\n\n- Upgrade kernel to the version 3.10.0-327.36.1.el7 or later:
\n\n\n# yum update kernel\n
\n- Restart the host with the new kernel.
\n\n# reboot\n
\n
\n"
- },
- "maintenance_actions": [{
- "done": false,
- "id": 305285,
- "maintenance_plan": {
- "maintenance_id": 29315,
- "name": "RHEL Demo Infrastructure",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }, {
- "done": false,
- "id": 310145,
- "maintenance_plan": {
- "maintenance_id": 29335,
- "name": "RHEL Demo All Systems",
- "description": null,
- "start": null,
- "end": null,
- "created_by": "$READACTED$",
- "silenced": false,
- "hidden": false,
- "suggestion": null,
- "remote_branch": null,
- "allow_reboot": true
- }
- }]
- }]
-}
+[
+ {
+ "id": 16923675,
+ "rule": {
+ "id": 46,
+ "created_at": "2019-02-07T14:02:34.379375-05:00",
+ "updated_at": "2019-03-12T11:45:28.804999-04:00",
+ "ruleset": {
+ "created_at": "2018-12-20T20:33:00-05:00",
+ "updated_at": "2018-12-20T20:33:00-05:00",
+ "rule_source": "https://$REDACTED$/insights-open-source/insights-security",
+ "description": "Security"
+ },
+ "rule_id": "CVE_2017_5715_cpu_virt|VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL",
+ "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)",
+ "active": true,
+ "category": {
+ "id": 2,
+ "name": "Security"
+ },
+ "impact": {
+ "name": "Information Disclosure",
+ "impact": 3
+ },
+ "likelihood": 2,
+ "node_id": "3244101",
+ "tags": "security kernel CVE",
+ "reboot_required": true,
+ "publish_date": "2018-01-17T12:00:00-05:00",
+ "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5715).\n",
+ "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n",
+ "reason": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel and has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}This machine is vulnerable, because it runs a vulnerable kernel.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine is vulnerable, because it has the following vulnerable packages installed:\n\n{{~ pydata.PACKAGES :value:index}}\n* `{{= value }}`{{~}}\n{{?}}\n\n\n{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}This machine has a particular family of an AMD processor for which there exists an updated version of Dracut. Dracut is a low-level software for generating an initramfs/initrd image that, among other tasks, selects the appropriate processor microcode to use. It is possible, but not guaranteed, that after updating the affected Dracut packages, the appropriate microcode will be selected to enable the protections for Variant 2 of this issue.\n\n{{?}}\nAn unprivileged attacker could use the vulnerability to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n",
+ "more_info": "* For more information about the flaw, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution) and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
+ "resolution_set": [
+ {
+ "system_type": 105,
+ "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n",
+ "resolution_risk": {
+ "name": "Upgrade Kernel",
+ "risk": 3
+ },
+ "has_playbook": true
+ }
+ ],
+ "total_risk": 2
+ },
+ "details": {
+ "type": "rule",
+ "cves_fail": [
+ "CVE-2017-5715"
+ ],
+ "cves_pass": [],
+ "error_key": "VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL",
+ "kernel_pkg_name": "kernel",
+ "affected_amd_family": false
+ },
+ "resolution": {
+ "system_type": 105,
+ "resolution": "{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_VIRTKERNEL\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_DRACUTKERNEL\" }}Red Hat recommends that you update the kernel and the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL\" }}Red Hat recommends that you update the kernel:\n\n~~~~\n# yum update {{=pydata.kernel_pkg_name}}\n# reboot\n~~~~\n\nIf additional steps to update the kernel are necessary, they are detailed in the separate insights rule *Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)*.\n{{?}}{{? pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYVIRT\" || pydata.error_key == \"VIRT_CVE_2017_5715_CPU_3_ONLYDRACUT\" }}Red Hat recommends that you update the packages and restart the system:\n\n~~~~\n# yum update{{~ pydata.PACKAGE_NAMES :value:index}} {{= value }}{{~}}\n# reboot\n~~~~\n{{?}}\n\nFixes require CPU microcode/firmware to activate.\n\n**In addition:**\n\nSubscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing `microcode_ctl` and `linux_firmware` packages that will cover the limited subset of chipsets we were able to test, but this will **not** address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.\n",
+ "resolution_risk": {
+ "name": "Upgrade Kernel",
+ "risk": 3
+ },
+ "has_playbook": true
+ }
+ },
+ {
+ "id": 16923676,
+ "rule": {
+ "id": 49,
+ "created_at": "2019-02-07T14:02:34.410515-05:00",
+ "updated_at": "2019-03-12T11:45:28.875932-04:00",
+ "ruleset": {
+ "created_at": "2018-12-20T20:33:00-05:00",
+ "updated_at": "2018-12-20T20:33:00-05:00",
+ "rule_source": "https://$REDACTED$/insights-open-source/insights-security",
+ "description": "Security"
+ },
+ "rule_id": "CVE_2017_5753_4_cpu_kernel|KERNEL_CVE_2017_5753_4_CPU_ERROR_3",
+ "description": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)",
+ "active": true,
+ "category": {
+ "id": 2,
+ "name": "Security"
+ },
+ "impact": {
+ "name": "Information Disclosure",
+ "impact": 3
+ },
+ "likelihood": 2,
+ "node_id": "3244101",
+ "tags": "security kernel CVE",
+ "reboot_required": true,
+ "publish_date": "2018-01-22T12:00:00-05:00",
+ "summary": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5753 / CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5753) and [CVE-2017-5754 / Meltdown](https://access.redhat.com/security/cve/CVE-2017-5754).\n",
+ "generic": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n\nMitigations for these vulnerabilities additionally require firmware/microcode updates from hardware vendors.\n",
+ "reason": "This system is vulnerable to the following variant(s):\n\n{{? pydata.problems.v1_vulnerable}}* Variant 1 (Spectre/CVE-2017-5753)\n{{?}}{{? pydata.problems.v2_vulnerable}}* Variant 2 (Spectre/CVE-2017-5715)\n{{?}}{{? pydata.problems.v3_vulnerable}}* Variant 3 (Meltdown/CVE-2017-5754)\n{{?}}\n\n{{ var factors_contributing_displayed = (!pydata.problems.kernel_supports_features || !pydata.problems.firmware_supports_features || pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled) ; }}{{? factors_contributing_displayed }}Factors contributing to these vulnerabilities are:\n\n{{? !pydata.problems.kernel_supports_features}}* This system's kernel needs updating.\n{{?}}{{? !pydata.problems.firmware_supports_features}}* This system needs a firmware update.\n{{?}}{{? pydata.problems.pti_cmdline_disabled}}* PTI has been disabled by the `nopti` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled}}* IBPB has been disabled by the `noibpb` kernel argument.\n{{?}}{{? pydata.problems.ibpb_cmdline_spectre_v2_disabled}}* IBPB has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled}}* IBRS has been disabled by the `noibrs` kernel argument.\n{{?}}{{? pydata.problems.ibrs_cmdline_spectre_v2_disabled}}* IBRS has been disabled by the `{{=pydata.problems.spectre_v2_disabling_cmdline}}` kernel argument.\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled}}* RFI flush has been disabled by the `no_rfi_flush` kernel argument.\n{{?}}{{?}}\n\n{{? ( pydata.sysfs_vuln_md && (pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1)) || ( pydata.sysfs_vuln_s2 && (/Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 || pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1)) }}{{? factors_contributing_displayed }}Additional details:{{??}}Factors contributing to these vulnerabilities are:{{?}}\n\n{{? pydata.sysfs_vuln_md }}{{? pydata.sysfs_vuln_md.indexOf(\"Vulnerable\") != -1 }}* The CPU is vulnerable to Variant 3 (Meltdown/CVE-2017-5754) and PTI is disabled.\n{{?}}{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* The kernel has been compiled with an old version of the `gcc` compiler that doesn't support retpolines, so the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1 }}* The CPU has vulnerable microcode, so the kernel can't use IBPB to mitigate Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* The CPU is Intel Skylake with updated microcode or newer, but retpolines are enabled. This type of CPU requires that IBRS is enabled and retpolines are disabled. The system is vulnerable to Variant 2 (Spectre/CVE-2017-5715) as a result.\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* A kernel module is loaded that has been compiled with a compiler without retpoline support. As a result, the kernel is vulnerable to Variant 2 (Spectre/CVE-2017-5715).\n{{?}}{{?}}{{?}}\n\n{{? !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}Some diagnostic information was unavailable to Insights.{{?}}\n{{? !pydata.debugfs_available }}* `debugfs` information was not available. {{? pydata.dmesg_available }}Feature settings were inferred from `dmesg` and known vendor defaults.{{??}}`dmesg` information is also unavailable, so it isn't possible to determine which mitigations are available.{{?}}\n{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln }}* `/sys/devices/system/cpu/vulnerabilities` was not available to Insights, even though the kernel provides it.\n{{?}}\n\n",
+ "more_info": "* For more information about the flaws, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution), [CVE-2017-5754](https://access.redhat.com/security/cve/CVE-2017-5754), [CVE-2017-5753](https://access.redhat.com/security/cve/CVE-2017-5753), and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751).\n* For information related to VMs, see [How do I enable Markdown/Spectre mitigations in my virtualised machines?](https://access.redhat.com/articles/3331571)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* More information about performance impact of the mitigations can be found in the [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751) knowledgebase article.\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
+ "resolution_set": [
+ {
+ "system_type": 105,
+ "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n",
+ "resolution_risk": {
+ "name": "Upgrade Kernel",
+ "risk": 3
+ },
+ "has_playbook": true
+ }
+ ],
+ "total_risk": 2
+ },
+ "details": {
+ "mfr": "Intel",
+ "type": "rule",
+ "virtual": "kvm",
+ "problems": {
+ "v1_vulnerable": false,
+ "v2_vulnerable": true,
+ "v3_vulnerable": false,
+ "pti_cmdline_disabled": false,
+ "ibpb_cmdline_disabled": false,
+ "ibrs_cmdline_disabled": false,
+ "kernel_supports_features": true,
+ "firmware_supports_features": false,
+ "rfi_flush_cmdline_disabled": false,
+ "spectre_v2_disabling_cmdline": null,
+ "ibpb_cmdline_spectre_v2_disabled": false,
+ "ibrs_cmdline_spectre_v2_disabled": false
+ },
+ "cves_fail": [
+ "CVE-2017-5715"
+ ],
+ "cves_pass": [
+ "CVE-2017-5753",
+ "CVE-2017-5754"
+ ],
+ "error_key": "KERNEL_CVE_2017_5753_4_CPU_ERROR_3",
+ "package_name": "kernel",
+ "dmesg_wrapped": false,
+ "release_major": "7",
+ "sysfs_vuln_md": "Mitigation: PTI",
+ "sysfs_vuln_s1": "Mitigation: Load fences, __user pointer sanitization",
+ "sysfs_vuln_s2": "Vulnerable: Retpoline without IBPB",
+ "running_kernel": "3.10.0-862.14.4.el7.x86_64",
+ "dmesg_available": true,
+ "debugfs_available": true,
+ "old_specs_on_client": false,
+ "retpo_kernel_but_no_sys_cpu_vuln": false
+ },
+ "resolution": {
+ "system_type": 105,
+ "resolution": "{{? pydata.dmesg_wrapped || !pydata.debugfs_available || pydata.retpo_kernel_but_no_sys_cpu_vuln }}**To improve detection reliability:**{{?}}\n{{? pydata.dmesg_wrapped}}* The kernel ring buffer has wrapped, making some information from `dmesg` unreliable. See [How do I increase the kernel log ring buffer size?](https://access.redhat.com/solutions/47276) for further information. Rebooting the system may also overcome this issue.\n{{?}}{{? !pydata.debugfs_available}}* Kernel debug information was not available. Mount `debugfs` as follows: \n{{? pydata.release >= 7 }}\n ~~~\n # systemctl restart sys-kernel-debug.mount\n ~~~\n{{??}}\n ~~~\n # mount -t debugfs nodev /sys/kernel/debug\n ~~~\n{{?}}{{?}}{{? pydata.retpo_kernel_but_no_sys_cpu_vuln}}* Allow Insights to collect `/sys/devices/system/cpu/vulnerabilities`.\n{{?}}\n\n**To mitigate the vulnerability:**\n{{? ( pydata.dmesg_wrapped || !pydata.dmesg_available ) && !pydata.debugfs_available && (!pydata.sysfs_vuln_s1 && !pydata.sysfs_vuln_s2 && !pydata.sysfs_vuln_md) }}* It might be necessary to improve detection reliability before we can offer more concrete mitigation steps.{{? !pydata.problems.kernel_supports_features}} If it is not possible, update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}\n{{?}}{{? pydata.dmesg_available && !pydata.problems.kernel_supports_features }}* This system is running a vulnerable kernel. Update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? ((pydata.debugfs_available || pydata.dmesg_available) && !pydata.problems.firmware_supports_features) || (pydata.sysfs_vuln_s2 && (pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline without IBPB\") != -1)) }}* This system needs a firmware update. Contact your system hardware vendor for more information.\n{{?}}{{? pydata.problems.pti_cmdline_disabled }}* Remove the `nopti` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nopti\n ~~~\n{{?}}{{? pydata.problems.ibpb_cmdline_disabled }}* Remove the `noibpb` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibpb\n ~~~\n{{?}}{{? pydata.problems.ibrs_cmdline_disabled }}* Remove the `noibrs` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=noibrs\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"v2=\") != -1 ) }}* Remove the `spectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=spectre_v2\n ~~~\n{{?}}{{? ( pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled ) && ( pydata.problems.spectre_v2_disabling_cmdline.indexOf(\"nospectre\") != -1 ) }}* Remove the `nospectre_v2` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=nospectre_v2\n ~~~\n{{?}}{{? pydata.problems.rfi_flush_cmdline_disabled }}* Remove the `no_rfi_flush` kernel argument:\n ~~~\n # grubby --update-kernel=ALL --remove-args=no_rfi_flush\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2 }}{{? /Vulnerable: Minimal.*ASM retpoline/.test(pydata.sysfs_vuln_s2) }}* This system is running a custom kernel that has been compiled with outdated `gcc`. Either recompile the kernel with retpoline-enabled `gcc` or update the kernel package and reboot:\n ~~~\n # yum update {{=pydata.package_name}}\n # reboot\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline on Skylake\") != -1 }}* Enable IBRS and disable retpolines. Retpolines are disabled automatically when IBRS is enabled:\n ~~~\n # echo 1 > /sys/kernel/debug/x86/ibrs_enabled\n ~~~\n{{?}}{{? pydata.sysfs_vuln_s2.indexOf(\"Vulnerable: Retpoline with unsafe module\") != -1 }}* Unload the kernel modules that have been compiled without a retpoline-enabled compiler. To find the affected kernel modules:\n ~~~\n # dmesg | grep \"WARNING: module.*built without retpoline-enabled compiler\"\n ~~~\nTo unload the module:\n ~~~\n # modprobe -r module_name\n ~~~\n{{?}}{{?}}{{? pydata.problems.pti_cmdline_disabled || pydata.problems.ibpb_cmdline_disabled || pydata.problems.ibrs_cmdline_disabled || pydata.problems.ibpb_cmdline_spectre_v2_disabled || pydata.problems.ibrs_cmdline_spectre_v2_disabled || pydata.problems.rfi_flush_cmdline_disabled }}\n ~~~\n # reboot\n ~~~\n {{?}}\n\n{{? !pydata.virtual == false || pydata.virtual === null }}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n",
+ "resolution_risk": {
+ "name": "Upgrade Kernel",
+ "risk": 3
+ },
+ "has_playbook": true
+ }
+ },
+ {
+ "id": 16923673,
+ "rule": {
+ "id": 72,
+ "created_at": "2019-02-07T14:02:34.653624-05:00",
+ "updated_at": "2019-03-12T11:45:29.372525-04:00",
+ "ruleset": {
+ "created_at": "2018-12-20T20:33:00-05:00",
+ "updated_at": "2018-12-20T20:33:00-05:00",
+ "rule_source": "https://$REDACTED$/insights-open-source/insights-security",
+ "description": "Security"
+ },
+ "rule_id": "CVE_2018_3639_cpu_kernel|CVE_2018_3639_CPU_BAD_MICROCODE",
+ "description": "Kernel vulnerable to side-channel attacks in modern microprocessors using Speculative Store Bypass when CPU microcode is outdated (CVE-2018-3639)",
+ "active": true,
+ "category": {
+ "id": 2,
+ "name": "Security"
+ },
+ "impact": {
+ "name": "Local Privilege Escalation",
+ "impact": 2
+ },
+ "likelihood": 2,
+ "node_id": "3448801",
+ "tags": "security",
+ "reboot_required": true,
+ "publish_date": "2018-05-21T21:00:00-04:00",
+ "summary": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. It has been assigned [CVE-2018-3639](https://access.redhat.com/security/cve/CVE-2018-3639). Mitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible.\n",
+ "generic": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. The flaw is similar to CVE-2017-5753 (aka \"Spectre v1\"), except it leverages Speculative Store Bypass memory optimization in place of the Branch Misprediction used by Spectre v1.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible, e.g. to memory outside of a sandboxed environments like web browsers or JIT execution runtimes.\n\nMitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nRed Hat recommends that you update the kernel and update firmware.\n",
+ "reason": "The system is vulnerable because:\n\n* CPU microcode requires an update\n",
+ "more_info": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/ssbd).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
+ "resolution_set": [
+ {
+ "system_type": 105,
+ "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n",
+ "resolution_risk": {
+ "name": "Hardware Vendor Firmware Update",
+ "risk": 3
+ },
+ "has_playbook": false
+ }
+ ],
+ "total_risk": 2
+ },
+ "details": {
+ "rt": false,
+ "type": "rule",
+ "virtual": "kvm",
+ "cmd_avail": true,
+ "cves_fail": [
+ "CVE-2018-3639"
+ ],
+ "cves_pass": [],
+ "error_key": "CVE_2018_3639_CPU_BAD_MICROCODE",
+ "running_kernel": "3.10.0-862.14.4.el7.x86_64",
+ "vuln_file_present": true
+ },
+ "resolution": {
+ "system_type": 105,
+ "resolution": "This system needs a firmware update. Contact your system hardware vendor for more information.\n\n{{? !pydata.virtual == false || pydata.virtual === null}}**Note about virtualization**\n\nIn virtualized environment, there are more steps to mitigate the issue, including:\n* Host needs to have updated kernel and CPU microcode\n* Host needs to have updated virtualization software\n* Guest needs to have updated kernel\n* Hypervisor needs to propagate new CPU features correctly\n\nFor more details about mitigations in virtualized environment see: [https://access.redhat.com/articles/3331571](https://access.redhat.com/articles/3331571){{?}}\n\n{{? pydata.virtual == \"vmware\" }}For help with setting VMWare to propagate CPU features correctly, refer to the following knowledge-base article: [https://kb.vmware.com/s/article/52085](https://kb.vmware.com/s/article/52085){{?}}\n",
+ "resolution_risk": {
+ "name": "Hardware Vendor Firmware Update",
+ "risk": 3
+ },
+ "has_playbook": false
+ }
+ },
+ {
+ "id": 16923678,
+ "rule": {
+ "id": 193,
+ "created_at": "2019-02-07T14:02:35.803497-05:00",
+ "updated_at": "2019-02-07T14:02:35.803513-05:00",
+ "ruleset": {
+ "created_at": "2018-12-20T20:33:00-05:00",
+ "updated_at": "2018-12-20T20:33:00-05:00",
+ "rule_source": "https://$REDACTED$/insights-open-source/insights-security",
+ "description": "Security"
+ },
+ "rule_id": "hardening_httpd_pci_dss|HARDENING_HTTPD_PCI_DSS",
+ "description": "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)",
+ "active": true,
+ "category": {
+ "id": 2,
+ "name": "Security"
+ },
+ "impact": {
+ "name": "Hardening",
+ "impact": 1
+ },
+ "likelihood": 1,
+ "node_id": "",
+ "tags": "httpd hardening security",
+ "reboot_required": false,
+ "publish_date": "2018-10-20T00:00:00-04:00",
+ "summary": "PCI Data Security Standard [mandates disabling](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls) TLS versions older than 1.1 for safeguarding payment data.\n",
+ "generic": "These hosts are running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n\nRed Hat recommends that you change your httpd/Apache configuration files. Select a host to see the host-specific details that need to be updated within the httpd/Apache configuration.\n",
+ "reason": "This host is running httpd with legacy SSL or TLS versions enabled and might be non-compliant with the PCI Data Security Standard.\n",
+ "more_info": "* For more information about the new PCI DSS rules, see [the article](https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls)\n* [How do I globally disable TLSv1.0 on my RHEL server?](https://access.redhat.com/solutions/2157131)\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
+ "resolution_set": [
+ {
+ "system_type": 19,
+ "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}\n- `{{=ssl[0]}}` - `{{=ssl[1]}}`
\n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}\n- `{{=nss[0]}}` - `{{=nss[1]}}`
\n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\nMake the changes permanent in the container image by using the **docker commit** command at the next container shutdown.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n",
+ "resolution_risk": {
+ "name": "Update Service Configuration",
+ "risk": 3
+ },
+ "has_playbook": false
+ },
+ {
+ "system_type": 105,
+ "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n",
+ "resolution_risk": {
+ "name": "Update Service Configuration",
+ "risk": 3
+ },
+ "has_playbook": false
+ },
+ {
+ "system_type": 29,
+ "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}\n- `{{=ssl[0]}}` - `{{=ssl[1]}}`
\n{{~}}
\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}\n- `{{=nss[0]}}` - `{{=nss[1]}}`
\n{{~}}
\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nMake the changes permanent in the image by using the **docker commit** command.\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n",
+ "resolution_risk": {
+ "name": "Update Service Configuration",
+ "risk": 3
+ },
+ "has_playbook": false
+ }
+ ],
+ "total_risk": 1
+ },
+ "details": {
+ "type": "rule",
+ "error_key": "HARDENING_HTTPD_PCI_DSS",
+ "nss_protocols": [
+ [
+ "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2",
+ "/etc/httpd/conf.d/nss.conf"
+ ]
+ ],
+ "scl_installed": false,
+ "ssl_protocols": null
+ },
+ "resolution": {
+ "system_type": 105,
+ "resolution": "Red Hat recommends that you disable SSLv3 and TLSv1.0.\n\n{{?pydata.ssl_protocols}}**The following SSLProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.ssl_protocols: ssl}}* `{{=ssl[0]}}` - {{=ssl[1]}}\n{{~}}\n\nRed Hat recommends that either of these `SSLProtocol` configurations is used:\n* `SSLProtocol -all +TLSv1.1 +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1`\n\nFor additional hardening, to use TLS 1.2 only, use either of these `SSLProtocol` configurations:\n* `SSLProtocol -all +TLSv1.2`\n* `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`\n{{?}}\n\n{{?pydata.nss_protocols}}**The following NSSProtocol directive(s) in the respective Apache configuration files will need to be modified:**\n{{~pydata.nss_protocols: nss}}* `{{=nss[0]}}` - {{=nss[1]}}\n{{~}}\n\nRed Hat recommends that this `NSSProtocol` configuration is used:\n* `NSSProtocol TLSv1.1,TLSv1.2`\n\nFor additional hardening, to use TLS 1.2 only, use the following `NSSProtocol` configuration:\n* `NSSProtocol TLSv1.2`\n{{?}}\n\nThen restart httpd:\n\n # service httpd restart\n\n{{?pydata.scl_installed}}You have installed httpd from Software Collections, which uses a different configuration files path from the default httpd. Some of the detected configuration files might be applicable only if the respective httpd package is used. Red Hat recommends resolving all listed issues to prevent inadvertent exposure to the vulnerability in case the httpd you use changes in the future.\n{{?}}\n",
+ "resolution_risk": {
+ "name": "Update Service Configuration",
+ "risk": 3
+ },
+ "has_playbook": false
+ }
+ },
+ {
+ "id": 16923677,
+ "rule": {
+ "id": 235,
+ "created_at": "2019-02-07T14:02:36.236195-05:00",
+ "updated_at": "2019-02-11T15:21:37.409742-05:00",
+ "ruleset": {
+ "created_at": "2018-05-21T22:00:51-04:00",
+ "updated_at": "2018-05-21T22:00:51-04:00",
+ "rule_source": "https://$REDACTED$/insights-open-source/insights-plugins",
+ "description": "Advisor"
+ },
+ "rule_id": "httpd24_deprecated_order|DEPRECATED_ORDER_USED_INFO_V1",
+ "description": "Unexpected behavior when using deprecated access control directives in httpd 2.4",
+ "active": true,
+ "category": {
+ "id": 1,
+ "name": "Availability"
+ },
+ "impact": {
+ "name": "Invalid Configuration",
+ "impact": 1
+ },
+ "likelihood": 3,
+ "node_id": "",
+ "tags": "sbr_webservers webservers httpd",
+ "reboot_required": false,
+ "publish_date": "2018-05-30T20:39:00-04:00",
+ "summary": "The httpd service does not work as expected when using old directives in httpd-2.4.\n",
+ "generic": "Access control is using deprecated directives (\"Order\", \"Allow\" and \"Deny\") provided by `mod_authz_compat` which has been replaced by `mod_authz_host` in **httpd 2.4**.\n",
+ "reason": "This host is running **{{=pydata.ver}}** and using the following old directives (`Order`, `Allow` or `Deny`) which have been deprecated:\n\n{{ for (var _sec in pydata.dep_conf) { }}\n* Section `<{{=_sec}}>`\n {{ for (var file in pydata.dep_conf[_sec]) { }} * Configuration file `{{=file}}`\n ```text {{ for (var dir in pydata.dep_conf[_sec][file]) { }}\n {{=pydata.dep_conf[_sec][file][dir]}} {{ } }}\n ```\n {{ } }}\n{{ } }}\n",
+ "more_info": "",
+ "resolution_set": [
+ {
+ "system_type": 105,
+ "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n",
+ "resolution_risk": {
+ "name": "Update Service Configuration",
+ "risk": 3
+ },
+ "has_playbook": false
+ }
+ ],
+ "total_risk": 2
+ },
+ "details": {
+ "ver": "httpd-2.4.6-80.el7",
+ "type": "rule",
+ "dep_conf": {
+ "Location /KdcProxy": {
+ "/etc/httpd/conf.d/ipa-kdc-proxy.conf": [
+ "Order Deny,Allow",
+ "Allow from all"
+ ]
+ },
+ "Directory /usr/share/fonts": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Allow from all"
+ ]
+ },
+ "Directory /usr/share/ipa/ui": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Allow from all"
+ ]
+ },
+ "Directory /usr/share/ipa/html": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Allow from all"
+ ]
+ },
+ "Directory /usr/share/ipa/wsgi": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Allow from all"
+ ]
+ },
+ "Location /ipa/session/sync_token": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Order Deny,Allow",
+ "Allow from all"
+ ]
+ },
+ "Directory /usr/share/ipa/migration": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Allow from all"
+ ]
+ },
+ "Location /ipa/session/login_password": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Order Deny,Allow",
+ "Allow from all"
+ ]
+ },
+ "Directory /var/lib/ipa/pki-ca/publish": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Allow from all"
+ ]
+ },
+ "Location /ipa/session/change_password": {
+ "/etc/httpd/conf.d/ipa.conf": [
+ "Order Deny,Allow",
+ "Allow from all"
+ ]
+ }
+ },
+ "error_key": "DEPRECATED_ORDER_USED_INFO_V1"
+ },
+ "resolution": {
+ "system_type": 105,
+ "resolution": "Red Hat recommends that you replace the old directives (\"Order\", \"Allow\" and \"Deny\") with the new directive (\"Require\") in **httpd-2.4**. Please check the [Upgrading to 2.4 from 2.2](http://httpd.apache.org/docs/2.4/upgrading.html) guide for more information.\n",
+ "resolution_risk": {
+ "name": "Update Service Configuration",
+ "risk": 3
+ },
+ "has_playbook": false
+ }
+ }
+]
diff --git a/awx/main/tests/data/insights.py b/awx/main/tests/data/insights.py
index 325dff7ba8..8ddb0eba88 100644
--- a/awx/main/tests/data/insights.py
+++ b/awx/main/tests/data/insights.py
@@ -4,6 +4,11 @@ import os
dir_path = os.path.dirname(os.path.realpath(__file__))
-with open(os.path.join(dir_path, 'insights.json')) as data_file:
- TEST_INSIGHTS_PLANS = json.loads(data_file.read())
+with open(os.path.join(dir_path, 'insights_hosts.json')) as data_file:
+ TEST_INSIGHTS_HOSTS = json.load(data_file)
+with open(os.path.join(dir_path, 'insights.json')) as data_file:
+ TEST_INSIGHTS_PLANS = json.load(data_file)
+
+with open(os.path.join(dir_path, 'insights_remediations.json')) as data_file:
+ TEST_INSIGHTS_REMEDIATIONS = json.load(data_file)['data']
diff --git a/awx/main/tests/data/insights_hosts.json b/awx/main/tests/data/insights_hosts.json
new file mode 100644
index 0000000000..8228222854
--- /dev/null
+++ b/awx/main/tests/data/insights_hosts.json
@@ -0,0 +1,13 @@
+{
+ "total": 1,
+ "count": 1,
+ "page": 1,
+ "per_page": 50,
+ "results": [
+ {
+ "id": "11111111-1111-1111-1111-111111111111",
+ "insights_id": "22222222-2222-2222-2222-222222222222",
+ "updated": "2019-03-19T21:59:09.213151-04:00"
+ }
+ ]
+}
diff --git a/awx/main/tests/data/insights_remediations.json b/awx/main/tests/data/insights_remediations.json
new file mode 100644
index 0000000000..17a2fb1541
--- /dev/null
+++ b/awx/main/tests/data/insights_remediations.json
@@ -0,0 +1,33 @@
+{
+ "data": [
+ {
+ "id": "9197ba55-0abc-4028-9bbe-269e530f8bd5",
+ "name": "Fix Critical CVEs",
+ "created_by": {
+ "username": "jharting@redhat.com",
+ "first_name": "Jozef",
+ "last_name": "Hartinger"
+ },
+ "created_at": "2018-12-05T08:19:36.641Z",
+ "updated_by": {
+ "username": "jharting@redhat.com",
+ "first_name": "Jozef",
+ "last_name": "Hartinger"
+ },
+ "updated_at": "2018-12-05T08:19:36.641Z",
+ "issue_count": 0,
+ "system_count": 0,
+ "needs_reboot": true
+ }
+ ],
+ "meta": {
+ "count": 0,
+ "total": 0
+ },
+ "links": {
+ "first": null,
+ "last": null,
+ "next": null,
+ "previous": null
+ }
+}
diff --git a/awx/main/tests/functional/api/test_host_insights.py b/awx/main/tests/functional/api/test_host_insights.py
new file mode 100644
index 0000000000..348ca02952
--- /dev/null
+++ b/awx/main/tests/functional/api/test_host_insights.py
@@ -0,0 +1,135 @@
+from collections import namedtuple
+
+import pytest
+import requests
+
+from awx.api.versioning import reverse
+
+
+@pytest.mark.django_db
+class TestHostInsights:
+ def test_insights_bad_host(self, get, hosts, user, mocker):
+ mocker.patch.object(requests.Session, 'get')
+
+ host = hosts(host_count=1)[0]
+
+ url = reverse('api:host_insights', kwargs={'pk': host.pk})
+ response = get(url, user('admin', True))
+
+ assert response.data['error'] == 'This host is not recognized as an Insights host.'
+ assert response.status_code == 404
+
+ def test_insights_host_missing_from_insights(self, get, hosts, insights_credential, user, mocker):
+ class Response:
+ status_code = 200
+ content = "{'results': []}"
+
+ def json(self):
+ return {'results': []}
+
+ mocker.patch.object(requests.Session, 'get', return_value=Response())
+
+ host = hosts(host_count=1)[0]
+ host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000'
+ host.inventory.insights_credential = insights_credential
+ host.inventory.save()
+ host.save()
+
+ url = reverse('api:host_insights', kwargs={'pk': host.pk})
+ response = get(url, user('admin', True))
+
+ assert response.data['error'] == (
+ 'Could not translate Insights system ID 123e4567-e89b-12d3-a456-426655440000'
+ ' into an Insights platform ID.')
+ assert response.status_code == 404
+
+ def test_insights_no_credential(self, get, hosts, user, mocker):
+ mocker.patch.object(requests.Session, 'get')
+
+ host = hosts(host_count=1)[0]
+ host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000'
+ host.save()
+
+ url = reverse('api:host_insights', kwargs={'pk': host.pk})
+ response = get(url, user('admin', True))
+
+ assert response.data['error'] == 'The Insights Credential for "test-inv" was not found.'
+ assert response.status_code == 404
+
+ @pytest.mark.parametrize("status_code, exception, error, message", [
+ (502, requests.exceptions.SSLError, 'SSLError while trying to connect to https://myexample.com/whocares/me/', None,),
+ (504, requests.exceptions.Timeout, 'Request to https://myexample.com/whocares/me/ timed out.', None,),
+ (502, requests.exceptions.RequestException, 'booo!', 'Unknown exception booo! while trying to GET https://myexample.com/whocares/me/'),
+ ])
+ def test_insights_exception(self, get, hosts, insights_credential, user, mocker, status_code, exception, error, message):
+ mocker.patch.object(requests.Session, 'get', side_effect=exception(error))
+
+ host = hosts(host_count=1)[0]
+ host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000'
+ host.inventory.insights_credential = insights_credential
+ host.inventory.save()
+ host.save()
+
+ url = reverse('api:host_insights', kwargs={'pk': host.pk})
+ response = get(url, user('admin', True))
+
+ assert response.data['error'] == message or error
+ assert response.status_code == status_code
+
+ def test_insights_unauthorized(self, get, hosts, insights_credential, user, mocker):
+ Response = namedtuple('Response', 'status_code content')
+ mocker.patch.object(requests.Session, 'get', return_value=Response(401, 'mock 401 err msg'))
+
+ host = hosts(host_count=1)[0]
+ host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000'
+ host.inventory.insights_credential = insights_credential
+ host.inventory.save()
+ host.save()
+
+ url = reverse('api:host_insights', kwargs={'pk': host.pk})
+ response = get(url, user('admin', True))
+
+ assert response.data['error'] == (
+ "Unauthorized access. Please check your Insights Credential username and password.")
+ assert response.status_code == 502
+
+ def test_insights_bad_status(self, get, hosts, insights_credential, user, mocker):
+ Response = namedtuple('Response', 'status_code content')
+ mocker.patch.object(requests.Session, 'get', return_value=Response(500, 'mock 500 err msg'))
+
+ host = hosts(host_count=1)[0]
+ host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000'
+ host.inventory.insights_credential = insights_credential
+ host.inventory.save()
+ host.save()
+
+ url = reverse('api:host_insights', kwargs={'pk': host.pk})
+ response = get(url, user('admin', True))
+
+ assert response.data['error'].startswith("Failed to access the Insights API at URL")
+ assert "Server responded with 500 status code and message mock 500 err msg" in response.data['error']
+ assert response.status_code == 502
+
+ def test_insights_bad_json(self, get, hosts, insights_credential, user, mocker):
+ class Response:
+ status_code = 200
+ content = 'booo!'
+
+ def json(self):
+ raise ValueError("we do not care what this is")
+
+ mocker.patch.object(requests.Session, 'get', return_value=Response())
+
+ host = hosts(host_count=1)[0]
+ host.insights_system_id = '123e4567-e89b-12d3-a456-426655440000'
+ host.inventory.insights_credential = insights_credential
+ host.inventory.save()
+ host.save()
+
+ url = reverse('api:host_insights', kwargs={'pk': host.pk})
+ response = get(url, user('admin', True))
+
+ assert response.data['error'].startswith("Expected JSON response from Insights at URL")
+ assert 'insights_id=123e4567-e89b-12d3-a456-426655440000' in response.data['error']
+ assert response.data['error'].endswith("but instead got booo!")
+ assert response.status_code == 502
diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py
index b690285295..53ab2ececb 100644
--- a/awx/main/tests/unit/api/test_views.py
+++ b/awx/main/tests/unit/api/test_views.py
@@ -1,7 +1,5 @@
# -*- coding: utf-8 -*-
-import re
import pytest
-import requests
from copy import deepcopy
from unittest import mock
@@ -11,13 +9,9 @@ from awx.api.views import (
ApiVersionRootView,
JobTemplateLabelList,
InventoryInventorySourcesUpdate,
- HostInsights,
JobTemplateSurveySpec
)
-from awx.main.models import (
- Host,
-)
from awx.main.views import handle_error
from rest_framework.test import APIRequestFactory
@@ -122,103 +116,6 @@ class TestInventoryInventorySourcesUpdate:
assert response.data == expected
-class TestHostInsights():
-
- @pytest.fixture
- def patch_parent(self, mocker):
- mocker.patch('awx.api.generics.GenericAPIView')
-
- @pytest.mark.parametrize("status_code, exception, error, message", [
- (502, requests.exceptions.SSLError, 'SSLError while trying to connect to https://myexample.com/whocares/me/', None,),
- (504, requests.exceptions.Timeout, 'Request to https://myexample.com/whocares/me/ timed out.', None,),
- (502, requests.exceptions.RequestException, 'booo!', 'Unknown exception booo! while trying to GET https://myexample.com/whocares/me/'),
- ])
- def test_get_insights_request_exception(self, patch_parent, mocker, status_code, exception, error, message):
- view = HostInsights()
- mocker.patch.object(view, '_get_insights', side_effect=exception(error))
-
- (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore')
- assert code == status_code
- assert msg['error'] == message or error
-
- def test_get_insights_non_200(self, patch_parent, mocker):
- view = HostInsights()
- Response = namedtuple('Response', 'status_code content')
- mocker.patch.object(view, '_get_insights', return_value=Response(500, 'mock 500 err msg'))
-
- (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore')
- assert msg['error'] == (
- 'Failed to gather reports and maintenance plans from Insights API at URL'
- ' https://myexample.com/whocares/me/. Server responded with 500 status code '
- 'and message mock 500 err msg')
-
- def test_get_insights_401(self, patch_parent, mocker):
- view = HostInsights()
- Response = namedtuple('Response', 'status_code content')
- mocker.patch.object(view, '_get_insights', return_value=Response(401, ''))
-
- (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore')
- assert msg['error'] == 'Unauthorized access. Please check your Insights Credential username and password.'
-
- def test_get_insights_malformed_json_content(self, patch_parent, mocker):
- view = HostInsights()
-
- class Response():
- status_code = 200
- content = 'booo!'
-
- def json(self):
- raise ValueError('we do not care what this is')
-
- mocker.patch.object(view, '_get_insights', return_value=Response())
-
- (msg, code) = view.get_insights('https://myexample.com/whocares/me/', 'ignore', 'ignore')
- assert msg['error'] == 'Expected JSON response from Insights but instead got booo!'
- assert code == 502
-
- #def test_get_not_insights_host(self, patch_parent, mocker, mock_response_new):
- #def test_get_not_insights_host(self, patch_parent, mocker):
- def test_get_not_insights_host(self, mocker):
-
- view = HostInsights()
-
- host = Host()
- host.insights_system_id = None
-
- mocker.patch.object(view, 'get_object', return_value=host)
-
- resp = view.get(None)
-
- assert resp.data['error'] == 'This host is not recognized as an Insights host.'
- assert resp.status_code == 404
-
- def test_get_no_credential(self, patch_parent, mocker):
- view = HostInsights()
-
- class MockInventory():
- insights_credential = None
- name = 'inventory_name_here'
-
- class MockHost():
- insights_system_id = 'insights_system_id_value'
- inventory = MockInventory()
-
- mocker.patch.object(view, 'get_object', return_value=MockHost())
-
- resp = view.get(None)
-
- assert resp.data['error'] == 'The Insights Credential for "inventory_name_here" was not found.'
- assert resp.status_code == 404
-
- def test_get_insights_user_agent(self, patch_parent, mocker):
- with mock.patch.object(requests.Session, 'get') as get:
- HostInsights()._get_insights('https://example.org', 'joe', 'example')
- assert get.call_count == 1
- args, kwargs = get.call_args_list[0]
- assert args == ('https://example.org',)
- assert re.match(r'AWX [^\s]+ \(open\)', kwargs['headers']['User-Agent'])
-
-
class TestSurveySpecValidation:
def test_create_text_encrypted(self):
diff --git a/awx/main/tests/unit/utils/test_insights.py b/awx/main/tests/unit/utils/test_insights.py
index fe160e666f..1eee79ce78 100644
--- a/awx/main/tests/unit/utils/test_insights.py
+++ b/awx/main/tests/unit/utils/test_insights.py
@@ -3,22 +3,25 @@
from awx.main.utils.insights import filter_insights_api_response
-from awx.main.tests.data.insights import TEST_INSIGHTS_PLANS
+from awx.main.tests.data.insights import TEST_INSIGHTS_HOSTS, TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS
def test_filter_insights_api_response():
- actual = filter_insights_api_response(TEST_INSIGHTS_PLANS)
+ actual = filter_insights_api_response(
+ TEST_INSIGHTS_HOSTS['results'][0], TEST_INSIGHTS_PLANS, TEST_INSIGHTS_REMEDIATIONS)
- assert actual['last_check_in'] == '2017-07-21T07:07:29.000Z'
- assert len(actual['reports']) == 9
- assert actual['reports'][0]['maintenance_actions'][0]['maintenance_plan']['name'] == "RHEL Demo Infrastructure"
- assert actual['reports'][0]['maintenance_actions'][0]['maintenance_plan']['maintenance_id'] == 29315
- assert actual['reports'][0]['rule']['severity'] == 'ERROR'
- assert actual['reports'][0]['rule']['description'] == 'Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)'
- assert actual['reports'][0]['rule']['category'] == 'Security'
- assert actual['reports'][0]['rule']['summary'] == ("A critical security flaw in the `glibc` library was found. "
- "It allows an attacker to crash an application built against "
- "that library or, potentially, execute arbitrary code with "
- "privileges of the user running the application.")
- assert actual['reports'][0]['rule']['ansible_fix'] is False
+ assert actual['last_check_in'] == '2019-03-19T21:59:09.213151-04:00'
+ assert len(actual['reports']) == 5
+ assert len(actual['reports'][0]['maintenance_actions']) == 1
+ assert actual['reports'][0]['maintenance_actions'][0]['name'] == "Fix Critical CVEs"
+ rule = actual['reports'][0]['rule']
+ assert rule['severity'] == 'WARN'
+ assert rule['description'] == (
+ "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)")
+ assert rule['category'] == 'Security'
+ assert rule['summary'] == (
+ "A vulnerability was discovered in modern microprocessors supported by the kernel,"
+ " whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read"
+ " access to privileged memory.\nThe issue was reported as [CVE-2017-5715 / Spectre]"
+ "(https://access.redhat.com/security/cve/CVE-2017-5715).\n")
diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py
index dc4901e609..67bb1e5f25 100644
--- a/awx/main/utils/insights.py
+++ b/awx/main/utils/insights.py
@@ -2,42 +2,46 @@
# All Rights Reserved.
-def filter_insights_api_response(json):
- new_json = {}
- '''
- 'last_check_in',
- 'reports.[].rule.severity',
- 'reports.[].rule.description',
- 'reports.[].rule.category',
- 'reports.[].rule.summary',
- 'reports.[].rule.ansible_fix',
- 'reports.[].rule.ansible',
- 'reports.[].maintenance_actions.[].maintenance_plan.name',
- 'reports.[].maintenance_actions.[].maintenance_plan.maintenance_id',
- '''
+# Old Insights API -> New API
+#
+# last_check_in is missing entirely, is now provided by a different endpoint
+# reports[] -> []
+# reports[].rule.{description,summary} -> [].rule.{description,summary}
+# reports[].rule.category -> [].rule.category.name
+# reports[].rule.severity (str) -> [].rule.total_risk (int)
- if 'last_check_in' in json:
- new_json['last_check_in'] = json['last_check_in']
- if 'reports' in json:
- new_json['reports'] = []
- for rep in json['reports']:
- new_report = {
- 'rule': {},
- 'maintenance_actions': []
- }
- if 'rule' in rep:
- for k in ['severity', 'description', 'category', 'summary', 'ansible_fix', 'ansible',]:
- if k in rep['rule']:
- new_report['rule'][k] = rep['rule'][k]
+# reports[].rule.{ansible,ansible_fix} appears to be unused
+# reports[].maintenance_actions[] missing entirely, is now provided
+# by a different Insights endpoint
+
+
+def filter_insights_api_response(platform_info, reports, remediations):
+ severity_mapping = {
+ 1: 'INFO',
+ 2: 'WARN',
+ 3: 'ERROR',
+ 4: 'CRITICAL'
+ }
+
+ new_json = {
+ 'platform_id': platform_info['id'],
+ 'last_check_in': platform_info.get('updated'),
+ 'reports': [],
+ }
+ for rep in reports:
+ new_report = {
+ 'rule': {},
+ 'maintenance_actions': remediations
+ }
+ rule = rep.get('rule') or {}
+ for k in ['description', 'summary']:
+ if k in rule:
+ new_report['rule'][k] = rule[k]
+ if 'category' in rule:
+ new_report['rule']['category'] = rule['category']['name']
+ if rule.get('total_risk') in severity_mapping:
+ new_report['rule']['severity'] = severity_mapping[rule['total_risk']]
+
+ new_json['reports'].append(new_report)
- for action in rep.get('maintenance_actions', []):
- new_action = {'maintenance_plan': {}}
- if 'maintenance_plan' in action:
- for k in ['name', 'maintenance_id']:
- if k in action['maintenance_plan']:
- new_action['maintenance_plan'][k] = action['maintenance_plan'][k]
- new_report['maintenance_actions'].append(new_action)
-
- new_json['reports'].append(new_report)
return new_json
-
diff --git a/awx/playbooks/action_plugins/insights.py b/awx/playbooks/action_plugins/insights.py
index 34ebd8c7cd..d4831448be 100644
--- a/awx/playbooks/action_plugins/insights.py
+++ b/awx/playbooks/action_plugins/insights.py
@@ -2,6 +2,8 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import os
+import re
+
import requests
from ansible.plugins.action import ActionBase
@@ -9,8 +11,11 @@ from ansible.plugins.action import ActionBase
class ActionModule(ActionBase):
- def save_playbook(self, proj_path, plan, content):
- fname = '{}-{}.yml'.format(plan.get('name', None) or 'insights-plan', plan['maintenance_id'])
+ def save_playbook(self, proj_path, remediation, content):
+ name = remediation.get('name', None) or 'insights-remediation'
+ name = re.sub(r'[^\w\s-]', '', name).strip().lower()
+ name = re.sub(r'[-\s]+', '-', name)
+ fname = '{}-{}.yml'.format(name, remediation['id'])
file_path = os.path.join(proj_path, fname)
with open(file_path, 'wb') as f:
f.write(content)
@@ -18,9 +23,8 @@ class ActionModule(ActionBase):
def is_stale(self, proj_path, etag):
file_path = os.path.join(proj_path, '.version')
try:
- f = open(file_path, 'r')
- version = f.read()
- f.close()
+ with open(file_path, 'r') as f:
+ version = f.read()
return version != etag
except IOError:
return True
@@ -31,7 +35,6 @@ class ActionModule(ActionBase):
f.write(etag)
def run(self, tmp=None, task_vars=None):
-
self._supports_check_mode = False
result = super(ActionModule, self).run(tmp, task_vars)
@@ -53,35 +56,10 @@ class ActionModule(ActionBase):
license
)
}
+ url = '/api/remediations/v1/remediations'
+ while url:
+ res = session.get('{}{}'.format(insights_url, url), headers=headers, timeout=120)
-
- url = '{}/r/insights/v3/maintenance?ansible=true'.format(insights_url)
-
- res = session.get(url, headers=headers, timeout=120)
-
- if res.status_code != 200:
- result['failed'] = True
- result['msg'] = (
- 'Expected {} to return a status code of 200 but returned status '
- 'code "{}" instead with content "{}".'.format(url, res.status_code, res.content)
- )
- return result
-
- if 'ETag' in res.headers:
- version = res.headers['ETag']
- if version.startswith('"') and version.endswith('"'):
- version = version[1:-1]
- else:
- version = "ETAG_NOT_FOUND"
-
- if not self.is_stale(proj_path, version):
- result['changed'] = False
- result['version'] = version
- return result
-
- for item in res.json():
- url = '{}/r/insights/v3/maintenance/{}/playbook'.format(insights_url, item['maintenance_id'])
- res = session.get(url, timeout=120)
if res.status_code != 200:
result['failed'] = True
result['msg'] = (
@@ -89,7 +67,37 @@ class ActionModule(ActionBase):
'code "{}" instead with content "{}".'.format(url, res.status_code, res.content)
)
return result
- self.save_playbook(proj_path, item, res.content)
+
+ # FIXME: ETags are (maybe?) not yet supported in the new
+ # API, and even if they are we'll need to put some thought
+ # into how to deal with them in combination with pagination.
+ if 'ETag' in res.headers:
+ version = res.headers['ETag']
+ if version.startswith('"') and version.endswith('"'):
+ version = version[1:-1]
+ else:
+ version = "ETAG_NOT_FOUND"
+
+ if not self.is_stale(proj_path, version):
+ result['changed'] = False
+ result['version'] = version
+ return result
+
+ url = res.json()['links']['next'] # will be None if we're on the last page
+
+ for item in res.json()['data']:
+ playbook_url = '{}/api/remediations/v1/remediations/{}/playbook'.format(
+ insights_url, item['id'])
+ res = session.get(playbook_url, timeout=120)
+ if res.status_code != 200:
+ result['failed'] = True
+ result['msg'] = (
+ 'Expected {} to return a status code of 200 but returned status '
+ 'code "{}" instead with content "{}".'.format(
+ playbook_url, res.status_code, res.content)
+ )
+ return result
+ self.save_playbook(proj_path, item, res.content)
self.write_version(proj_path, version)
diff --git a/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js b/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js
index 5022fc519d..582f7bc94b 100644
--- a/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js
+++ b/awx/ui/client/src/inventories-hosts/inventories/insights/insights.controller.js
@@ -26,6 +26,7 @@ function (data, $scope, moment, $state, InventoryData, InsightsService,
InventoryData.summary_fields.insights_credential && InventoryData.summary_fields.insights_credential.id) ?
InventoryData.summary_fields.insights_credential.id : null;
$scope.canRemediate = CanRemediate;
+ $scope.platformId = $scope.reports_dataset.platform_id;
}
function filter(str){
@@ -40,7 +41,7 @@ function (data, $scope, moment, $state, InventoryData, InsightsService,
};
$scope.viewDataInInsights = function(){
- window.open(`https://access.redhat.com/insights/inventory?machine=${$scope.$parent.host.insights_system_id}`, '_blank');
+ window.open(`https://cloud.redhat.com/insights/inventory/${$scope.platformId}/insights`, '_blank');
};
$scope.remediateInventory = function(inv_id, insights_credential){
diff --git a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js
index 40916cd5ec..df023b75aa 100644
--- a/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js
+++ b/awx/ui/client/src/inventories-hosts/inventories/insights/plan-filter.js
@@ -7,10 +7,10 @@
export default function(){
return function(plan) {
if(plan === null || plan === undefined){
- return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS";
+ return "PLAN: Not Available CREATE A NEW PLAN IN INSIGHTS";
} else {
- let name = (plan.maintenance_plan.name === null) ? "Unnamed Plan" : plan.maintenance_plan.name;
- return `${name} (${plan.maintenance_plan.maintenance_id})`;
+ let name = (plan.name === null) ? "Unnamed Plan" : plan.name;
+ return `${name} (${plan.id})`;
}
};
}