Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Detected custom leapp actors or files" false positive #1251

Open
swapdisk opened this issue Jun 4, 2024 · 1 comment
Open

"Detected custom leapp actors or files" false positive #1251

swapdisk opened this issue Jun 4, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@swapdisk
Copy link

swapdisk commented Jun 4, 2024

Actual behavior

The recently introduced actor check_custom_modifications_actor is reporting a "Detected custom leapp actors or files" high severity finding if leapp-rhui-aws package is installed. The finding summary lists files provides by the leapp-rhui-aws package even though this is a legit Red Hat-signed package, i.e., not from third-party vendor, etc.

To Reproduce

Steps to reproduce the behavior

On RHEL8 PAYG EC2 instance:

  1. install leapp-rhui-aws
  2. install leapp-upgrade-el8toel9-0.20.0-2.el8 or later version
  3. run leapp preupgrade --no-rhsm --debug
  4. observe unfounded finding in leapp-report.txt, e.g.,
Risk Factor: high 
Title: Detected custom leapp actors or files.
Summary: We have detected installed custom actors or files on the system. These can be provided e.g. by third party vendors, Red Hat consultants, or can be created by users to customize the upgrade (e.g. to migrate custom applications). This is allowed and appreciated. However Red Hat is not responsible for any issues caused by these custom leapp actors. Note that upgrade tooling is under agile development which could require more frequent update of custom actors.
The list of custom leapp actors and files:
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/cdn.redhat.com-chain.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/content-rhel9.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/content-rhel9.key
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/leapp-aws.repo
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/rhui-client-config-server-9.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/aws/rhui-client-config-server-9.key
Related links:
    - Customizing your Red Hat Enterprise Linux in-place upgrade: https://red.ht/customize-rhel-upgrade
Remediation: [hint] In case of any issues connected to custom or third party actors, contact vendor of such actors. Also we suggest to ensure the installed custom leapp actors are up to date, compatible with the installed packages.
Key: 2064870018370ce2bde3f977cf753ed8c59848d0

Expected behavior

The finding should not be reported for leapp actors or files provided by a signed package supported by Red Hat.

System information (please complete the following information):

[root@neat7ray ~]# cat /etc/system-release
Red Hat Enterprise Linux release 8.10 (Ootpa)
[root@neat7ray ~]# uname -a
Linux neat7ray.example.com 4.18.0-553.el8_10.x86_64 #1 SMP Fri May 10 15:19:13 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
[root@neat7ray ~]# rpm -qa "*leapp*"
leapp-upgrade-el8toel9-deps-0.20.0-2.el8.noarch
leapp-rhui-aws-1.0.11-1.el8.noarch
leapp-0.17.0-1.el8.noarch
python3-leapp-0.17.0-1.el8.noarch
leapp-deps-0.17.0-1.el8.noarch
leapp-upgrade-el8toel9-0.20.0-2.el8.noarch

Attach (or provide link to) log files if applicable (optional - may contain confidential information):

# tar -czf leapp-logs.tar.gz /var/log/leapp /var/lib/leapp/leapp.db

leapp-logs.tar.gz


Additional context

The same issue exists with a RHEL7 PAYG EC2 instance.

@swapdisk swapdisk added the bug Something isn't working label Jun 4, 2024
@mkluson
Copy link
Member

mkluson commented Jun 5, 2024

Hi @swapdisk, thank you for reporting this unfortunate behavior. I created https://issues.redhat.com/browse/RHEL-40115 for better tracking within RH team. We will fix it in some future release (note it will be RHEL 8.10 and newer).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants