Kevin,
  Thank you for the reply.  I've been banging my head on this for about a week now and either I'm doing something wrong or there is a bug in the org_fedora_oscap anaconda addon.  I *have* made this work (mostly) if I skip the anaconda addon and simply run oscap from my %post section.  

  The initial work I was doing was just using a floppy to provide both the kickstart and the tailoring file from scap-workbench.  We've migrated to having a full bootable ISO remastered from the RHEL 7.3 install media instead, with our tailoring file added as an extra RPM to be installed.  I finally managed some syntax on the oscap addon that didn't raise an exception using this:

%addon org_fedora_oscap
  content-type = scap-security-guide
  profile = ospp-rhel7-server
  tailoring-path = ../../usr/share/xml/scap/custom/tailoring.xml
%end

But after the system installs my modified banner is not present.  Looking at the logs it appears that the tailoring path was completely ignored.  I re-installed the system and dropped to one of the alternate windows to see exactly what oscap command was being executed and it was this:

oscap xccdf eval --remediate --results=/root/openscap_data/eval_remediate_results.xml --profile=ospp-rhel7-server tailoring-file=/usr/share/xml/scap/custom/tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

While it runs apparently without error messages - I've noticed several things:
  1) my tailoring is never used - just the steps from the profile
  2) it looks like some of the 'kickstart actions' are not being done - if I understand the USGCB profile, it has an action for installing the 'screen' package if needed, but this is not happening at kickstart.  I just found a bug in the oscap anacoonda addon (https://github.com/OpenSCAP/oscap-anaconda-addon/issues/16)  that seems to confirm this, at least for RHEL 7.3 which we are using.
  3) If I run the above command from a 'live' system (with or without the tailoring line) it still ignores the tailoring and there is an quick message is displayed - 'This content points out to the remote resources. Use `--fetch-remote-resources` option to download them.'  If I provide an incorrect filename for the tailoring it does error without doing any other actions.  

So far the only way I've been able to have my tailoring file used is to use a command similar to what scap-workbench displays in the 'dry-run' option - and that command uses the datastream flavor of commands not the xccdf flavor.  

So it seems if I want to have tailoring done using the plugin I have to use the datastream content, which I can't because these systems will be totally isolated at configuration.   

None of this is a hard show-stopper, but it means that the oscap plugin is not usable as it stands.  Right now I don't have time to delve deeper into the plugin (although I have pulled the source to try and understand it better).  

-Rob
  


From: Kevin Spargur (kspargur) [kspargur@cisco.com]
Sent: Friday, February 10, 2017 3:24 PM
To: SCAP Security Guide
Subject: EXTERNAL: Re: Kickstart from floppy wth SCAP and tailoring

Hey Rob,

 

In the past, for self-contained CD installers I’ve used /run/install/repo/base_folder_on_cd/somefile for kickstart includes.  Depending on your setup that may or may not work for you.

 

Media with a /folder/file.xml

 

%addon org_fedora_oscap

  …

  tailoring-path = /run/install/repo/folder/file.xml

  …

%end

 

Food for thought.

 

-Kevin

 

 

From: Robert Sanders <rsanders@forcepoint.com>
Reply-To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org>
Date: Friday, February 10, 2017 at 3:12 PM
To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org>
Subject: RE: Kickstart from floppy wth SCAP and tailoring

 

Yep, that's where I started, just making sure I could get a hardened image at install.  But you can't (at least I didn't see a place on my RHEL7.3 box) to make changes to the selection of profiles included with the install RPM.  I can bring up scap-workbench on a live box and make my changes there, and I was hoping to grab that customization and use it for the 'tailoring-path' option in the '%addon org_fedora_oscap' section.  Anaconda yowls after installing stuff that it can't find the file.  At the point where the error occurred it doesn't look like the floppy is mounted at all.  This is my first dive into using kickstarts/anaconda like this and I'm not sure it is possible our of the box.  

I'm considering two workarounds - 

 

1) Remaster the RHEL7.3 install ISO to include a new RPM with my customization tucked into the correct location

2) Standup a webserver to supply a datastream or archive of the desired profile, with my tailoring, and reference that via https

 

I'm still sorting out in my head where the remediation happens during install - if I understand it correctly the indicated profile is scanned early enough to pull the info about partitioning and the l like before much is done, and other bits happen after everything is installed.  But I don't know if that later hardening is before or after the %post section happens.

 

-Rob

 

 


From: Albrecht, Thomas C [thomas.c.albrecht@lmco.com]
Sent: Friday, February 10, 2017 2:50 PM
To: SCAP Security Guide
Subject: EXTERNAL: RE: Kickstart from floppy wth SCAP and tailoring

Have you tried doing a manual install using the SCAP hardening in the install menu, and then stealing the code from the resulting anaconda.cfg that is generated in /root?

 

From: Robert Sanders [mailto:rsanders@forcepoint.com]
Sent: Friday, February 10, 2017 2:48 PM
To: scap-security-guide@lists.fedorahosted.org
Subject: EXTERNAL: Kickstart from floppy wth SCAP and tailoring

 

Hi all,

  Have a quick question - I'm looking at using a kickstart file to automate our OS install, but I also want to use the SCAP plugin to handle the initial lockdown of our images.  Looking at the 'tailoring-path' option to the anaconda plugin looks promising, but the docs indicate that the path for this option is relative to the archive being used.  Is there a way to specify the path so that it will the path from the 'floppy' image I'm using (currently booting by adding "linux ks=hd:fd0:ks.cfg"), or do I need to stand everything up as an http/https/ftp server and reference the SCAP contents and my tailoring file that way?

 

-Rob

 

 
 

 

 

 
Scanned by Forcepoint Email Security Gateway
Click here to report this email as spam
 

 

 

 
 





Scanned by Forcepoint Email Security Gateway
Click here to report this email as spam