Disa stig prevent using EPEL release

[spartan782]

Did a clean install with the Disa stig enabled and ran into errors with the epel-release. It appears that this line was added to the /etc/yum.conf file which prevents epel from pulling down its metadata.

repo_gpgcheck=1

When it is swapped back to 0, it works fine.

[peasead]

Yeah, this is a known..."feature". We've brought this up to DISA, no movement.

I run this beforehand to sidestep the issue (which obviously does the same thing you listed).

sudo sed -i 's/repo_gpgcheck=1/repo_gpgcheck=0/' /etc/yum.conf
sudo sed -i 's/localpkg_gpgcheck=1/localpkg_gpgcheck=0/' /etc/yum.conf

[spartan782]

ok, awesome, wasn't sure if was a known issue or not. Figured I would just dump it here just incase so I wouldn't forget.

[dcode]

i thought this was fixed in the latest epel-release pkg. @spartan782 how did you do the install so we can reproduce it. We can also fix it in the kickstart. In either case, we should put a workaround in place before we close this.

[spartan782]

I just built a vm from the ISO rocknsm-2.1-nightly-20180326-1658.iso and selected the security policy for the Disa stig. I selected custom install of rock from the menu, and then I yum installed epel-release which created lots of issues for me until I found that work around.

[jeffgeiger]

Have we tested this against the latest 2.1 ISO's? If not, I can.

[peasead]

Does 2.1 install Epel via Yum or "upstream"?

[jeffgeiger]

It gets painted in with ansible's yum-repository, but not via yum install epel-release.

[peasead]

When adding the STIG entries to /etc/yum.conf

clean_requirements_on_remove=1
localpkg_gpgcheck=1
repo_gpgcheck=1

And then performing a sudo yum install epel-release && sudo yum update, you get a bunch of this:

Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                            |  16 kB  00:00:00
 * epel: mirror.grid.uchicago.edu
http://mirror.grid.uchicago.edu/pub/linux/epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/.

http://mirror.compevo.com/epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
http://fedora-epel.mirror.lstn.net/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
https://mirror.steadfastnet.com/epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
https://mirror.us-midwest-1.nexcess.net/epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
http://mirror.cs.pitt.edu/epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
https://mirror.mrjester.net/fedora/epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
https://ewr.edge.kernel.org/fedora-buffet/epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
http://fedora-epel.mirrors.tds.net/fedora-epel/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
http://fedora-epel.mirror.iweb.com/7/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
^CRetrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
...

So it appears, that this isn't fix't.

The way I've "fixed" it was to change localpkg_gpgcheck=1 and repo_gpgcheck=1 in /etc/yum.conf from 1 to a 0...which isn't a fix.

@dcode said there was a way to install EPEL "upstream"?

[jeffgeiger]

Hmmmm. So, yeah... nope.

[dcode]

I can look at this tomorrow