RHEL Detection Changes

Enhanced Detection in Plugins Targeting RHEL Systems

Plugin

Applicable “Red Hat Local Security Checks” family plugins. 

Target Release Date

23 Jan 2023

Change

Today, our RHEL vulnerability detection plugins test for the presence of officially-supported repository labels to determine whether relevant repositories are installed on a system. While this approach follows Red Hat's guidance, it is not possible to rely on it in some cases, such as where Red Hat Update Infrastructure (“RHUI”) repositories are enabled.

In collaboration with Red Hat, we have developed a new approach to capture the RHUI scenario accurately. Instead of just using repository labels in the /etc/yum.repos.d/redhat.repo file, we will now determine which repositories are in use by checking the repository URLs in any repo file within the /etc/yum.repos directory.

Impact

Checking enabled repositories is the most accurate way to determine which plugins should run against specific configurations. 

Before this change, this was only possible if the /etc/yum.repos/redhat.repo file contained default repository labels. Because of environmental configurations, many scans were not able to determine which repositories were enabled. Instead, they relied on basic rpm file version checking, which can produce inaccurate results due to Red Hat's rpm version numbering practices.

Customers will now see more accurate findings in configurations where custom label names are used and/or when a different file(s) in /etc/yum.repos.d/ is used to store repositories. If an internal mirror uses the same URL structure as official Red Hat mirrors, more accurate findings may occur. Otherwise, there will be no change in behavior in configurations where repositories point to internal mirrors.