15
submitted 1 year ago by xapr@lemmy.sdf.org to c/linux@lemmy.ml

I have an issue with some servers at work where I have been unable to determine the best course of action to address it based on pre-existing knowledge within my team or web searches. Does anyone have suggestions for the best place to ask RHEL-specific questions? I don't want to presume that it's OK to post such nitty-gritty technical questions here.

top 17 comments
sorted by: hot top controversial new old
[-] riek42@lemmy.dbzer0.com 11 points 1 year ago

RHEL has some questions/answers forum behind their paywall. As you have RHEL somebody within your organization should have an account with access to it.

[-] vojel@feddit.de 6 points 1 year ago

Its not a paywall. You can register for free and look up all the articles but of course wont get customer support. @OP maybe ask your questions just here, I bet most linux enterprise dudes got their fingers alot on RHEL/CentOS, me included.

[-] xapr@lemmy.sdf.org 3 points 1 year ago

Thank you, I've now asked my question within this same thread: https://lemmy.sdf.org/comment/1840823

[-] riek42@lemmy.dbzer0.com 2 points 1 year ago

Oh, I didn't know that. Thanks for pointing it out.

[-] xapr@lemmy.sdf.org 4 points 1 year ago

Thanks! Yes, I have access to their community. I wasn't sure if that was the best place to ask though. Their community software is a bit clunky, and sometimes official forums are not always the best place to ask.

[-] riek42@lemmy.dbzer0.com 2 points 1 year ago

Maybe you have a problem with a specific open source product which is an upstream of a RH product, then the open source product will have their own community forum, e.g. the RH product Satellite and the open source community The Foreman. Or directly in some kind of CentOS or Fedora forum for OS problems. But it will probably fastest if you just open a ticket with RH for your problem.

[-] riek42@lemmy.dbzer0.com 2 points 1 year ago

Just now saw the comment with the link to your question, disregard my last comment. 😁

[-] xapr@lemmy.sdf.org 2 points 1 year ago

No problem, thanks for the suggestions!

[-] phx@lemmy.ca 7 points 1 year ago

There's nothing wrong with asking it here. You may not get an answer if it's something specific to RH that those here don't know about, but I can't imagine anyone will give you crap for it.

It's easier to direct you to the right place knowing what the question is too.

Just be careful not to put any sensitive information in the question if it's regarding corporate hosts

[-] xapr@lemmy.sdf.org 1 points 1 year ago

Thank you, I've now asked my question within this same thread: https://lemmy.sdf.org/comment/1840823

[-] xapr@lemmy.sdf.org 3 points 1 year ago* (last edited 1 year ago)

Here's my question, if anyone reading this post knows the answer: the simple version is... is it safe to enable the rhel-7-server-rhceph-4-tools-rpms repository?

To give a little more detail: old versions of modules that come from the Ceph package got flagged by our security scan. It appears that Ceph is installed by default on RHEL 7, but the repository above which I believe will update these modules, is not enabled by default. This seems odd to me, and the documentation for Ceph mentions that the EPEL repository should be disabled. It doesn't appear that this repository is enabled, but this still made me concerned about why the Ceph repository isn't enabled by default, hence my question.

Edit: I will try to contact Red Hat support to confirm the best course of action, like some have suggested on this thread. Thank you everyone for your help.

Edit 2: I figured out a course of action to take. The vulnerabilities were flagged for the librados2 and librbd1 packages. I used the command "rpm -q --whatrequires " to navigate the dependencies of these two packages to end at libvirt. Using the same command with libvirt, I was able to determine that no other package is dependent on it. Thus, it appears to me that I can address the issue by uninstalling all 3 packages. This seems safer and more secure than addressing the issue by enabling a new repository on the server. To be safe, I will take a snapshot of the VM before making the changes. I'll post another update afterward.

[-] carlwgeorge@beehaw.org 3 points 1 year ago

old versions of modules that come from the Ceph package got flagged by our security scan.

RHEL uses a practice called backporting, where older versions of software in packages get fixes from newer versions of the software without changing the version. This means that scanners that only check the version number can give you false positives for CVEs that are actually fixed. Is there a specific CVE that your scanner mentions? If so, you can look it up in the Red Hat CVE database and check if the fix has been backported, and which release of the package includes said fix.

[-] xapr@lemmy.sdf.org 1 points 1 year ago

Oh, I was not aware of this. This is very useful! I will check it out and post an update later. Thank you!

[-] xapr@lemmy.sdf.org 1 points 1 year ago

I checked, and the versions of those modules that are currently installed are way behind what's provided in the listed Red Hat patch, so it does seem that the updates for this just haven't been installed. I will try to double-check with Red Hat support to be sure that enabling the Ceph repository is the correct course of action to take. Thank you once again for your help.

[-] knobbysideup@lemm.ee 3 points 1 year ago* (last edited 1 year ago)

You might want to check the errata for the packages your scanning tools complained about. Rhel will keep stable versions at the same release version, but backport security fixes in.

Many security scanners are stupid about this.

Since it is rhel, you have a support contract, right? What do they say?

[-] xapr@lemmy.sdf.org 1 points 1 year ago

You might want to check the errata for the packages your scanning tools complained about. Rhel will keep stable versions at the same release version, but backport security fixes in.

Thanks. I had verified that there is an errata before posting here. I presume that it hasn't been installed due to that repository being disabled, but maybe I'm mistaken?

Many security scanners are stupid about this.

Indeed. In the process of researching this I found a related KB article from Red Hat that basically said that the security scanner is not supposed to flag this.

Since it is rhel, you have a support contract, right? What do they say?

I'm positive we have a support contract, but I've never had to use it, so I'm not familiar with the process. I'm not one of the main linux admins here. If I can't find the answer either here or from my own research, I'll look into the process to open a case.

Thanks again.

[-] xapr@lemmy.sdf.org 1 points 1 year ago

Final update on this issue. I found out about the "rpm -q --whatrequires " command and used that to navigate the dependency chain for the modules in question. I was able to determine that those modules were ultimately not being used for anything. Once I confirmed that, I removed the modules. So far so good. It didn't cause any issues to the services on that server. I will find out if it resolved the vulnerability that had been flagged by the security scanner next time it runs, probably at the end of the month.

this post was submitted on 08 Aug 2023
15 points (89.5% liked)

Linux

48179 readers
1107 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS