Environment

VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8

Issue details

The epel-release package fails to install during getmeza.sh execution because the GPG check FAILED.

/opt/meza/src/scripts/getmeza.sh
Enabling code-ready-builder and ansible repo for RHEL. This may take some time.
Repository 'codeready-builder-for-rhel-8-x86_64-rpms' is enabled for this system.
Repository 'ansible-2-for-rhel-8-x86_64-rpms' is enabled for this system.
Updating Subscription Management repositories.
Red Hat Ansible Engine 2 for RHEL 8 x86_64 (RPM 3.3 MB/s | 2.5 MB 00:00
Red Hat CodeReady Linux Builder for RHEL 8 x86_ 11 MB/s | 8.8 MB 00:00
epel-release-latest-8.noarch.rpm 95 kB/s | 24 kB 00:00
Dependencies resolved.

Package Architecture Version Repository Size

Installing:
epel-release noarch 8-18.el8 @commandline 24 k

Transaction Summary

Install 1 Package

Total size: 24 k
Installed size: 35 k
Downloading Packages:
Public key for epel-release-latest-8.noarch.rpm is not installed
Error: GPG check FAILED
sed: can't read /etc/yum.repos.d/epel.repo: No such file or directory
cp: cannot stat '/etc/yum.repos.d/epel.repo': No such file or directory

I believe this is because NASA-SPEC-2601OS.RHEL8, Red Hat Enterprise Linux 8 Security Configuration Specification has control "NASA-ASCS-20158: Ensure gpgcheck Enabled for Local Packages" which mandates "localpkg_gpgcheck=1" be set in the /etc/yum.conf file.

This means the public key of the epel-release package has to be imported first before it will install properly.
My fix is to execute "rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8" before running getmeza.sh.

getmeza.ssh should import the RPM-GPG-KEY-EPEL-8 before attempting to install.
NASA-SPEC-2601OS.RHEL8_v1.7.pdf

Environment

VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8

Issue details

After meza deploy monolith, the haproxy configuration does not meet NASA specs.

Edit /etc/haproxy/haproxy.cfg and update settings based on NASA-SPEC-2650 for TLS.
Set ciphers:
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-SEED-SHA:!DHE-RSA-CAMELLIA128-SHA

Set protocols:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

Commented out port 80:
#frontend www-http

bind *:80

reqadd X-Forwarded-Proto:\ http

default_backend www-backend

Set HSTS max-age to one year:
http-response set-header Strict-Transport-Security max-age=31557600;\ includeSubDomains;\ preload;

Each administrator should copy their server's certificate, unencrypted certificate key, and CA chain into /etc/haproxy/certs/meza.pem
Ex. cat server.crt server.key ca-bundle.crt > meza.pem

Also, update template so that future deployments retain the settings:
/opt/meza/src/roles/haproxy/templates/haproxy.cfg.j2

NASA-SPEC-2650_v4.0_TLS.pdf

Environment

VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8

Issue details

During "meza monolith deploy", TASK [apache-php : Install memcached PECL packages] fails:

fatal: [localhost]: FAILED! => {
"changed": true,
"cmd": "pecl install --configureoptions 'with-libmemcached-dir="no" with-zlib-dir="no" with-syste
m-fastlz="no" enable-memcached-igbinary="no" enable-memcached-msgpack="no" enable-memcached-json="no" e
nable-memcached-protocol="no" enable-memcached-sasl="yes" enable-memcached-session="yes"' memcached\n",

"delta": "0:00:01.199410",
"end": "2023-03-20 15:59:39.181133",
"rc": 1,
"start": "2023-03-20 15:59:37.981723"

}

STDOUT:-(22%)

pecl/memcached can optionally use PHP extension "igbinary" (version >= 2.0)
pecl/memcached can optionally use PHP extension "msgpack" (version >= 2.0)
downloading memcached-3.2.0.tgz ...
Starting to download memcached-3.2.0.tgz (90,722 bytes)
.....................done: 90,722 bytes
18 source files, building
running: phpize
Configuring for:
PHP Api Version: 20190902
Zend Module Api No: 20190902
Zend Extension Api No: 320190902
shtool at '/var/tmp/memcached/build/shtool' does not exist or is not executable.
Make sure that the file exists and is executable and then rerun this script.

ERROR: `phpize' failed

MSG:re--(22%)

non-zero return code
...ignoring%)

This occurs because NASA-SPEC-2601OS.RHEL8 (RED HAT ENTERPRISE LINUX 8 SECURITY CONFIGURATION SPECIFICATION) has the control "NASA-ASCS-20238: Add noexec Option to /var/tmp".

The mount command can be used to determine if there is a noexec option on the file system:

mount | grep /var/tmp

/dev/sdb6 on /var/tmp type ext4 (rw,nosuid,nodev,noexec,relatime,seclabel)

If noexec is in the list of options, then the /var/tmp file system has to be remounted with the "exec" option for the task to be completed without error:
mount -o remount,exec /var/tmp

At the end of the task, /var/tmp should be changed back to noexec to remain compliant with NASA-SPEC-2601OS.RHEL8:
mount -o remount,noexec /var/tmp

NASA-SPEC-2601OS.RHEL8_v1.7.pdf

Initially, created issue 1312 on the gh enterprisemediawiki meza because this wiki pointer to a broken nasa/meza/ issue for github issues as talked about in enterprisemediawiki/meza#1312 (comment).

Have spent three+ hours trying to find the exact version of our current meza wiki on wiki webpages themselves, but it is not there.

Could not find on webpage, so ssh'ed into the host expecting meza cli would document the way to find the existing version.

Happened across Jamesmontalvo3's issue
Jamesmontalvo3's issue "meza --version fails in python 3.x #1311", but that does NOT show in the webpage.

Environment

**xcp-ng.org xen vm**
**CentOS Linux release 7.9.2009 (Core)**
**meza version hash:  (run cd /opt/meza && git rev-parse --short HEAD and report output) **
https://github.com/enterprisemediawiki/meza/commit/3838ace53f9a61da7dcd83f6b6ec61d83e1d9326
Note, one has to open a new case in order to find out how to get their current version of the git hash :(

Issue details

meza help or meza version both crash and meza does not mention a version number nor the command to find the version. Otherwise, no error message because there is no webpage to look at or command to run that i could find. So experimented.

meza version

        [mezawiki meza]$ meza version
        Traceback (most recent call last):
          File "/usr/bin/meza", line 1193, in <module>
            main(sys.argv[1:])
          File "/usr/bin/meza", line 63, in main
            display_docs(argv[0])
          File "/usr/bin/meza", line 1084, in display_docs
            f = open('/opt/meza/manual/meza-cmd/{}.txt'.format(name),'r')
        IOError: [Errno 2] No such file or directory: '/opt/meza/manual/meza-cmd/version.txt'

meza help

        [user@intrawiki ~]$ meza help
        Traceback (most recent call last):
          File "/usr/bin/meza", line 1193, in <module>
            main(sys.argv[1:])
          File "/usr/bin/meza", line 63, in main
            display_docs(argv[0])
          File "/usr/bin/meza", line 1084, in display_docs
            f = open('/opt/meza/manual/meza-cmd/{}.txt'.format(name),'r')
        IOError: [Errno 2] No such file or directory: '/opt/meza/manual/meza-cmd/help.txt'  

many more commands and file snooping. For some reason, did not think meza may actually be a script that i could read with a text editor.

Environment

• VMware virtual machine - Machine or Virtual Machine details: (VirtualBox, VMWare, Digital Ocean, AWS, etc)
• redhat-release-eula-8.9-0.1.el8.x86_64 - Operating System: (run cat /etc/redhat-release and report output)
• a38b6e0 - meza version hash: (run cd /opt/meza && git rev-parse --short HEAD and report output)

Issue details

Agency-IT-Outreach sent email on 3/12/24 from Chief Information Officer stating all NASA web sites, both internal and external require a link to NASA's accessibility statement, located at https://www.nasa.gov/accessibility/ in the footer.

One solution could be to:

1. Add the following to the localsettings.php page:
   $wgHooks['SkinAddFooterLinks'][] = function ( Skin $skin, string $key, array &$footerlinks ) {
   if ( $key === 'places' ) {
   $footerlinks['508link'] = Html::rawElement( 'a',['href' => 'https://www.nasa.gov/accessibility/','rel' => 'noreferrer noopener'],$skin->msg( 'Accessibility-link' )->text());
   };
   };

2. Then create a new page at https:///index.php?title=MediaWiki:Accessibility-link and just drop the word ‘Accessibility’ in it.

Environment

VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8

Issue details

By default, executing 'meza deploy monolith' overwrites the /etc/ssh/sshd_config file. This could potentially prevent remote SSH logins for systems that have been configured to use PIV-SSH, with password and public key authorizations disabled. It also clobbers other settings that have been made to meet the NASA OpenSSH Security Configuration Specification (attached and located online at https://cset.nasa.gov/ascs/application/open-source-openssh/).

Before running 'meza deploy monolith' the first time, I save the /etc/ssh/sshd_config file. Then after deployment, I copy it back.

To prevent future overwrites, I must modify /opt/meza/config/defaults.yml and set:
use_default_ssh_config: False

My first suggestion is to never completely overwrite /etc/ssh/sshd_config. If meza would like to modify a setting in /etc/ssh/sshd_config, then there should be a prompt to ask whether such a change can be made.

NASA OpenSSH Security Configuration Specification v1.4.pdf

Environment

VMware virtual machine
redhat-release-eula-8.9-0.1.el8.x86_64
a38b6e0 (meza version hash)

Issue details

IT Security scan reports PHP Unsupported Version Detection:
Source : X-Powered-By: PHP/7.4.33
Installed version : 7.4.33
End of support date : 2022/11/28
Announcement : http://php.net/supported-versions.php
Supported versions : 8.0.x / 8.1.x

Extension:StringFunctionsEscaped is unmaintained. Although it may still work, any bug reports or feature requests will more than likely be ignored.

This is being installed here: https://github.com/nasa/meza/blob/main/config/MezaCoreExtensions.yml#L284