search

oamg / leapp-repository

Leapp repositories containing actors for the Leapp framework (https://github.com/oamg/leapp). Currently provides leapp repositories for in-place upgrades of RHEL systems.
Apache License 2.0
48 stars 144 forks source link

"Detected custom leapp actors or files" false positive #1251

Open swapdisk opened 2 months ago

swapdisk commented 2 months ago

Actual behavior

The recently introduced actor check_custom_modifications_actor is reporting a "Detected custom leapp actors or files" high severity finding if leapp-rhui-aws package is installed. The finding summary lists files provides by the leapp-rhui-aws package even though this is a legit Red Hat-signed package, i.e., not from third-party vendor, etc.

To Reproduce

Steps to reproduce the behavior

On RHEL8 PAYG EC2 instance:

  1. install leapp-rhui-aws
  2. install leapp-upgrade-el8toel9-0.20.0-2.el8 or later version
  3. run leapp preupgrade --no-rhsm --debug
  4. observe unfounded finding in leapp-report.txt, e.g.,
Risk Factor: high 
Title: Detected custom leapp actors or files.
Summary: We have detected installed custom actors or files on the system. These can be provided e.g. by third party vendors, Red Hat consultants, or can be created by users to customize the upgrade (e.g. to migrate custom applications). This is allowed and appreciated. However Red Hat is not responsible for any issues caused by these custom leapp actors. Note that upgrade tooling is under agile development which could require more frequent update of custom actors.
The list of custom leapp actors and files:
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/cdn.redhat.com-chain.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/content-rhel9.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/content-rhel9.key
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/leapp-aws.repo
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/rhui-client-config-server-9.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/rhui-client-config-server-9.key
Related links:
    - Customizing your Red Hat Enterprise Linux in-place upgrade: https://red.ht/customize-rhel-upgrade
Remediation: [hint] In case of any issues connected to custom or third party actors, contact vendor of such actors. Also we suggest to ensure the installed custom leapp actors are up to date, compatible with the installed packages.
Key: 2064870018370ce2bde3f977cf753ed8c59848d0

Expected behavior

The finding should not be reported for leapp actors or files provided by a signed package supported by Red Hat.

System information (please complete the following information):

[root@neat7ray ~]# cat /etc/system-release
Red Hat Enterprise Linux release 8.10 (Ootpa)
[root@neat7ray ~]# uname -a
Linux neat7ray.example.com 4.18.0-553.el8_10.x86_64 #1 SMP Fri May 10 15:19:13 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
[root@neat7ray ~]# rpm -qa "*leapp*"
leapp-upgrade-el8toel9-deps-0.20.0-2.el8.noarch
leapp-rhui-aws-1.0.11-1.el8.noarch
leapp-0.17.0-1.el8.noarch
python3-leapp-0.17.0-1.el8.noarch
leapp-deps-0.17.0-1.el8.noarch
leapp-upgrade-el8toel9-0.20.0-2.el8.noarch

Attach (or provide link to) log files if applicable (optional - may contain confidential information):

# tar -czf leapp-logs.tar.gz /var/log/leapp /var/lib/leapp/leapp.db

leapp-logs.tar.gz

Additional context

The same issue exists with a RHEL7 PAYG EC2 instance.

mkluson commented 2 months ago

Hi @swapdisk, thank you for reporting this unfortunate behavior. I created https://issues.redhat.com/browse/RHEL-40115 for better tracking within RH team. We will fix it in some future release (note it will be RHEL 8.10 and newer).