Look into SCAP Workbench to help build a custom security profile for your application.

https://www.open-scap.org/tools/scap-workbench/

 

 

Robert

 

From: Fen Labalme [mailto:fen.labalme@civicactions.com]
Sent: Thursday, March 1, 2018 10:00 PM
To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org>
Subject: Disabling specific bash remediations

 

The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using:

 

  command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \

    --results-arf /tmp/results-arf.xml --report /tmp/report.html \

    /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'

 

But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running?

 

Thanks,

=Fen

 

 

CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.